CVE-2023-36932
HIGHProgress MOVEit Transfer < 2020.1.11, 2021.0.9, 2021.1.7, 2022.0.7, 2022.1.8, 2023.0.4 - Authenticated SQL Injection
Title source: llmDescription
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023
Product
https://www.progress.com/moveit
Scores
CVSS v3
8.1
EPSS
0.1584
EPSS Percentile
94.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
progress/moveit_transfer
< 2020.1.11
Published
Jul 05, 2023
Tracked Since
Feb 18, 2026