Security News > 2023 > June > A third MOVEit vulnerability fixed, Cl0p lists victim organizations (CVE-2023-35708)

A third MOVEit vulnerability fixed, Cl0p lists victim organizations (CVE-2023-35708)
2023-06-19 11:56

Progress Software has asked customers to update their MOVEit Transfer installations again, to fix a third SQL injection vulnerability discovered in the web application in less that a month.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," the company said on Thursday.

The vulnerability has been fixed in MOVEit Transfer versions 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, and 2023.0.3.

"We have not seen any evidence that the vulnerability reported on June 15 has been exploited," the company said on Sunday.

"Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity. Because the new vulnerability we reported on June 15 had been publicly posted online, it was important that we take immediate action out of an abundance of caution to quickly patch the vulnerability and disable MOVEit Cloud."

In the meantime, Cl0p has started disclosing the names of organizations whose data they grabbed by exploiting CVE-2023-34362.


News URL

https://www.helpnetsecurity.com/2023/06/19/cve-2023-35708/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-02 CVE-2023-34362 SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
network
low complexity
progress CWE-89
critical
9.8