Security News > 2023 > July > Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software

Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software
2023-07-07 14:01

Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer.

The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.

CVE-2023-36932 is a SQL injection flaw that can be exploited by attackers who are logged in to gain unauthorized access to the MOVEit Transfer database.

CVE-2023-36933, on the other hand, is a vulnerability that allows attackers to unexpectedly shut down the MOVEit Transfer program.

These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and earlier.

Users are strongly advised to update to the latest version of MOVEit Transfer to reduce the risks posed by these vulnerabilities.


News URL

https://thehackernews.com/2023/07/another-critical-unauthenticated-sqli.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-05 CVE-2023-36934 SQL Injection vulnerability in Progress Moveit Transfer
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.
network
low complexity
progress CWE-89
critical
 9.1
9.1
2023-07-05 CVE-2023-36933 Improper Handling of Exceptional Conditions vulnerability in Progress Moveit Transfer
In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception.
network
low complexity
progress CWE-755
7.5
7.5
2023-07-05 CVE-2023-36932 SQL Injection vulnerability in Progress Moveit Transfer
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database.
network
low complexity
progress CWE-89
8.1
8.1