CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-2291 – MOVEit Transfer Logging Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-2291
20 Mar 2024 — In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly. • https://github.com/ASR511-OO7/CVE-2024-22917 • CWE-778: Insufficient Logging •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0CVE-2024-0396 – Missing Server-Side Input Validation in HTTP Parameter
https://notcve.org/view.php?id=CVE-2024-0396
17 Jan 2024 — In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service. En las versiones de Progress MOVEit Transfer lanzadas antes de 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 ... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024 • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6218 – MOVEit Transfer Group Admin Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-6218
29 Nov 2023 — In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator. En las versiones de Progress MOVEit Transfer lanzadas antes de 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), se ha identificado una ruta de escalada de privilegios asociada co... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023 • CWE-269: Improper Privilege Management •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6217 – MOVEit Transfer XSS via MOVEit Gateway
https://notcve.org/view.php?id=CVE-2023-6217
29 Nov 2023 — In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context o... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-42656 – MOVEit Transfer Reflected XSS
https://notcve.org/view.php?id=CVE-2023-42656
20 Sep 2023 — In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. V... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 14%CPEs: 4EXPL: 0CVE-2023-40043 – MOVEit Transfer System Administrator SQL Injection
https://notcve.org/view.php?id=CVE-2023-40043
20 Sep 2023 — In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content. En l... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 31%CPEs: 4EXPL: 0CVE-2023-42660 – MOVEit Transfer Machine Interface SQL Injection
https://notcve.org/view.php?id=CVE-2023-42660
20 Sep 2023 — In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content. En las versiones de MOVEit... • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 42%CPEs: 6EXPL: 0CVE-2023-36932
https://notcve.org/view.php?id=CVE-2023-36932
05 Jul 2023 — In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database c... • https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 30%CPEs: 6EXPL: 0CVE-2023-36933
https://notcve.org/view.php?id=CVE-2023-36933
05 Jul 2023 — In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly. • https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 94%CPEs: 6EXPL: 0CVE-2023-36934 – Progress Software MOVEit Transfer UserProcessPassChangeRequest SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-36934
05 Jul 2023 — In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. ... • https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •