CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2324 – A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder
https://notcve.org/view.php?id=CVE-2025-2324
19 Mar 2025 — Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2. • https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-2324-March-18-2025 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0CVE-2024-6576 – MOVEit Transfer Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-6576
29 Jul 2024 — Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. • https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 93%CPEs: 3EXPL: 3CVE-2024-5806 – MOVEit Transfer Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-5806
25 Jun 2024 — Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. • https://packetstorm.news/files/id/180703 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-2291 – MOVEit Transfer Logging Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-2291
20 Mar 2024 — In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly. • https://github.com/ASR511-OO7/CVE-2024-22917 • CWE-778: Insufficient Logging •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0CVE-2024-0396 – Missing Server-Side Input Validation in HTTP Parameter
https://notcve.org/view.php?id=CVE-2024-0396
17 Jan 2024 — In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service. En las versiones de Progress MOVEit Transfer lanzadas antes de 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 ... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024 • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6218 – MOVEit Transfer Group Admin Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-6218
29 Nov 2023 — In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator. En las versiones de Progress MOVEit Transfer lanzadas antes de 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), se ha identificado una ruta de escalada de privilegios asociada co... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023 • CWE-269: Improper Privilege Management •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6217 – MOVEit Transfer XSS via MOVEit Gateway
https://notcve.org/view.php?id=CVE-2023-6217
29 Nov 2023 — In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context o... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-42656 – MOVEit Transfer Reflected XSS
https://notcve.org/view.php?id=CVE-2023-42656
20 Sep 2023 — In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. V... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 14%CPEs: 4EXPL: 0CVE-2023-40043 – MOVEit Transfer System Administrator SQL Injection
https://notcve.org/view.php?id=CVE-2023-40043
20 Sep 2023 — In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content. En l... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 31%CPEs: 4EXPL: 0CVE-2023-42660 – MOVEit Transfer Machine Interface SQL Injection
https://notcve.org/view.php?id=CVE-2023-42660
20 Sep 2023 — In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content. En las versiones de MOVEit... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •