Description

Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), is vulnerable to an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.

Remediation

Patches for all supported MOVEit Transfer versions are available.

References

MOVEit Transfer Critical Vulnerability (May 2023)

MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response

Related Vulnerabilities

WordPress Plugin ZM Gallery SQL Injection (1.0)

WordPress Plugin Export any WordPress data to XML/CSV SQL Injection (1.3.4)

WordPress Plugin WP-Predict 'predictId' Parameter Blind SQL Injection (1.0)

WordPress Plugin Copperleaf Photolog 'cplphoto.php' SQL Injection (0.16)

WordPress Plugin Forminator-Contact Form, Payment Form & Custom Form Builder SQL Injection (1.29.2)

Severity

High

Classification

CVE-2023-34362 CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A

Tags

SQL Injection