CVE-2023-40043

MOVEit Transfer System Administrator SQL Injection

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator

could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.

En las versiones de MOVEit Transfer lanzadas antes de 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), se ha identificado una vulnerabilidad de inyección SQL en la interfaz web de MOVEit Transfer que podría permitir que una cuenta de administrador del sistema MOVEit obtenga acceso no autorizado a la base de datos de MOVEit Transfer. Un administrador del sistema MOVEit podría enviar un payload manipulado a la interfaz web de MOVEit Transfer, lo que podría dar como resultado la modificación y divulgación del contenido de la base de datos de MOVEit.

*Credits: N/A

CVSS Scores

NISTv3.1 7.2

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-08 CVE Reserved
2023-09-20 CVE Published
2024-08-02 CVE Updated
2024-09-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

CAPEC-66: SQL Injection

References (2)

URL	Tag	Source
https://www.progress.com/moveit	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023	2023-09-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Progress Search vendor "Progress"		Moveit Transfer Search vendor "Progress" for product "Moveit Transfer"				< 2021.1.8 Search vendor "Progress" for product "Moveit Transfer" and version " < 2021.1.8"		-		Affected
Progress Search vendor "Progress"		Moveit Transfer Search vendor "Progress" for product "Moveit Transfer"				>= 2022.0.0 < 2022.0.8 Search vendor "Progress" for product "Moveit Transfer" and version " >= 2022.0.0 < 2022.0.8"		-		Affected
Progress Search vendor "Progress"		Moveit Transfer Search vendor "Progress" for product "Moveit Transfer"				>= 2022.1.0 < 2022.1.9 Search vendor "Progress" for product "Moveit Transfer" and version " >= 2022.1.0 < 2022.1.9"		-		Affected
Progress Search vendor "Progress"		Moveit Transfer Search vendor "Progress" for product "Moveit Transfer"				>= 2023.0.0 < 2023.0.6 Search vendor "Progress" for product "Moveit Transfer" and version " >= 2023.0.0 < 2023.0.6"		-		Affected