Lucene search

[email protected]CVE-2023-42660

HistorySep 20, 2023 - 5:15 p.m.

CVE-2023-42660

2023-09-2017:15:11

CWE-89

[email protected]

web.nvd.nist.gov

cve-2023-42660

sql injection

moveit transfer

vulnerability

security

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.

Affected configurations

NVD

Node

progressmoveit_transferRange<2021.1.8

progressmoveit_transferRange2022.0.0–2022.0.8

progressmoveit_transferRange2022.1.0–2022.1.9

progressmoveit_transferRange2023.0.0–2023.0.6

CPENameOperatorVersion
progress:moveit_transferprogress moveit transferlt2021.1.8
progress:moveit_transferprogress moveit transferlt2022.0.8
progress:moveit_transferprogress moveit transferlt2022.1.9
progress:moveit_transferprogress moveit transferlt2023.0.6

CPE	Name	Operator	Version
progress:moveit_transfer	progress moveit transfer	lt	2021.1.8
progress:moveit_transfer	progress moveit transfer	lt	2022.0.8
progress:moveit_transfer	progress moveit transfer	lt	2022.1.9
progress:moveit_transfer	progress moveit transfer	lt	2023.0.6

CNA Affected

[
  {
    "defaultStatus": "affected",
    "modules": [
      "MOVEit Transfer Machine Interface"
    ],
    "product": "MOVEit Transfer",
    "vendor": "Progress Software Corporation",
    "versions": [
      {
        "lessThan": "2023.0.6 (15.0.6)",
        "status": "affected",
        "version": "2023.0.0 (15.0.0)",
        "versionType": "semver"
      },
      {
        "lessThan": "2022.1.9 (14.1.9)",
        "status": "affected",
        "version": "2022.1.0 (14.1.0)",
        "versionType": "semver"
      },
      {
        "lessThan": "2022.0.8 (14.0.8)",
        "status": "affected",
        "version": "2022.0.0 (14.0.0)",
        "versionType": "semver"
      },
      {
        "lessThan": "2021.1.8 (13.1.8)",
        "status": "affected",
        "version": "2021.1.0 (13.1.0)",
        "versionType": "semver"
      }
    ]
  }
]

References

community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023

www.progress.com/moveit

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

Related for CVE-2023-42660

prion1 cvelist1 nvd1 nessus1