33 matches found
CVE-2023-34362
MOVEit Transfer CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web app that allows an unauthenticated attacker to access MOVEit databases. Affected versions include 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), with all ...
CVE-2023-35036
MOVEit Transfer is affected by a SQL injection vulnerability in its web application. Connected sources confirm an unauthenticated attacker could modify and disclose MOVEit’s database content due to how SQL queries are constructed. Affected versions include pre-2021.0.7 (13.0.7), 2021.1.5 (13.1.5)...
CVE-2024-5806
CVE-2024-5806 affects the MOVEit Transfer SFTP module. The issue is an Improper Authentication vulnerability that can lead to an Authentication Bypass . Affected versions include MOVEit Transfer 2023.0.x prior to 2023.0.11, 2023.1.x prior to 2023.1.6, and 2024.0.x prior to 2024.0.2. Root cause is...
CVE-2023-35708
MOVEit Transfer is affected by a SQL injection in the web application that can allow an unauthenticated attacker to modify and disclose MOVEit’s database content. Affected versions include 2020.1.10 (12.1.10) and 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023...
CVE-2020-8612
CVE-2020-8612 affects Progress MOVEit Transfer: vulnerable in 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1 due to a REST API endpoint that does not adequately sanitize malicious input, enabling an authenticated attacker to execute arbitrary code in a user’s browser (XSS). Connected sources c...
CVE-2020-8611
CVE-2020-8611 reports multiple SQL injection vulnerabilities in the REST API of MOVEit Transfer (versions 2019.1 prior to 2019.1.4 and 2019.2 prior to 2019.2.1). An authenticated attacker could gain unauthorized access to MOVEit Transfer’s database via the REST API, and depending on the database ...
CVE-2023-36934
MOVEit Transfer web application (versions 12.1.11, 13.0.9, 13.1.7, 14.0.7, 14.1.8, 15.0.4 and earlier) is affected by a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit database by sending a crafted payload to an application endpoi...
CVE-2021-38159
CVE-2021-38159 affects Progress MOVEit Transfer web applications; versions before 2021.0.4 (13.0.4) are vulnerable to unauthenticated SQL injection. An attacker could access the backend database, potentially inferring schema/data or executing statements that alter or delete elements, with impact ...
CVE-2023-40043
CVE-2023-40043 affects Progress MOVEit Transfer: a SQL injection in the web interface could let a MOVEit system administrator submit a crafted payload to modify and disclose database content. Affected are MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14....
CVE-2024-6576
CVE-2024-6576 - Progress MOVEit Transfer (SFTP module) : Affected MOVEit Transfer versions include 2023.0.0–2023.0.11, 2023.1.0–2023.1.6, and 2024.0.0–2024.0.2, with a root cause described as an improper authentication vulnerability that can lead to privilege escalation. Remediation per sources: ...
CVE-2023-36932
MOVEit Transfer contains CVE-2023-36932, a SQL injection vulnerability in the web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database by submitting crafted payloads to an application endpoint. Affected versions include pre-2020.1.11 (...
CVE-2023-42660
CVE-2023-42660 affects Progress MOVEit Transfer: a SQL injection in the MOVEit Transfer machine interface (web/machine interface) in versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6) could let an authenticated attacker gain unauthorized access to ...
CVE-2025-2324
The CVE-2025-2324 entry concerns an Improper Privilege Management issue in MOVEit Transfer (SFTP module) where users configured as Shared Accounts can gain elevated permissions. Affected versions are MOVEit Transfer: 2023.1.0–2023.1.11, 2024.0.0–2024.0.7, and 2024.1.0–2024.1.1. Remediations are t...
CVE-2024-2291
CVE-2024-2291 (MOVEit Transfer) is a logging bypass vulnerability affecting MOVEit Transfer versions prior to 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), and 2023.1.4 (15.1.4). An authenticated user can manipulate a request to bypass the web application’s logging mechanism, causi...
CVE-2023-36933
CVE-2023-36933 affects Progress MOVEit Transfer: an attacker could invoke a method that triggers an unhandled exception, causing the MOVEit Transfer application to terminate. Affected versions include pre-2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15...
CVE-2023-6218
MOVEit Transfer CVE-2023-6218 describes an elevation-of-privilege vulnerability where a group administrator can upgrade a group member to organization administrator. Affected products/versions are MOVEit Transfer prior to 2022.0.9 (14.0.9), prior to 2022.1.10 (14.1.10), and prior to 2023.0.7 (15....
CVE-2024-0396
CVE-2024-0396 affects Progress MOVEit Transfer. An authenticated user can manipulate a parameter in an HTTPS transaction, causing computational errors and potentially a denial of service. Affected versions include before 2022.0.10 (14.0.10), before 2022.1.11 (14.1.11), before 2023.0.8 (15.0.8), a...
CVE-2021-33894
MOVEit Transfer contains a SQL injection vulnerability in SILUtility.vb within MOVEit.DMZ.WebApp affecting multiple release lines (2019.x, 2020.x, 2021.x up to 2021.0.1). An authenticated attacker could access the database, and depending on the engine (MySQL, Microsoft SQL Server, or Azure SQL) p...
CVE-2021-31827
CVE-2021-31827 affects MOVEit Transfer (DMZ) up to version 2020.1 (12.1.1.116). The vulnerability is a SQL Injection in MOVEit.DMZ.WebApp’s SILHuman.vb (FolderApplySettingsRecurs path) that requires authentication and can allow an attacker to access the MOVEit Transfer database, infer schema/cont...
CVE-2021-37614
In Progress MOVEit Transfer, a SQL injection vulnerability exists in the MOVEit Transfer web application for certain versions prior to 2021.0.3 (13.0.3). An authenticated remote attacker could potentially access the backend database, with the impact depending on the database engine (MySQL, Micros...
CVE-2020-28647
MOVEit Transfer (pre-2020.1) is affected by a stored XSS vulnerability: a malicious payload crafted by an attacker can be stored in the app and, when a user interacts with it, execute arbitrary code in the victim’s browser. Public advisories and a GitHub exploit example describe the existence of ...
CVE-2023-6217
CVE-2023-6217 describes a reflected Cross-Site Scripting (XSS) vulnerability in MOVEit Transfer when used with MOVEit Gateway. Affected: MOVEit Transfer versions before 2022.0.9 (14.0.9), before 2022.1.10 (14.1.10), and before 2023.0.7 (15.0.7). Root cause: XSS in a combined MOVEit Gateway/Transf...
CVE-2023-42656
CVE-2023-42656 affects MOVEit Transfer prior to 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), and 2023.0.6 (15.0.6). The issue is a reflected cross-site scripting (XSS) vulnerability in MOVEit Transfer’s web interface. An attacker could craft a malicious payload during the package comp...
CVE-2025-11235
Progress MOVEit Transfer on Windows REST API modules is affected by an unverified password change vulnerability. Affected versions include MOVEit Transfer 2022.0.0–2022.0.10, 2022.1.0–2022.1.11, 2023.0.0–2023.0.8, and 2023.1.0–2023.1.3. The issue is documented across multiple sources (including R...
CVE-2025-13147
CVE-2025-13147 concerns Progress MOVEit Transfer. A(Server-Side) SSRF vulnerability exists in MOVEit Transfer core handling, affecting versions before 2024.1.8 and 2025.0.0 up to before 2025.0.4. The issue allows an attacker to cause the server to make unauthorized requests, potentially accessing...
CVE-2026-11903
CVE-2026-11903 is a stored XSS in the Progress MOVEit Transfer (Ad Hoc module). The issue arises from improper neutralization of input during web page generation. Affects MOVEit Transfer versions: 2026.0.0 before 2026.0.1; 2025.1.0 before 2025.1.4; 2025.0.0 before 2025.0.8. CVSS v3.1 base score 8...
CVE-2026-10699
CVE-2026-10699 affects Progress MOVEit Transfer (Custom Reports modules) with a memory leak caused by missing release of memory after its effective lifetime. Affects MOVEit Transfer versions: 2025.0.0–before 2025.0.8, 2025.1.0–before 2025.1.4, and 2026.0.0–before 2026.0.1. The issue can lead to d...
CVE-2026-8800
CVE-2026-8800 concerns an Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module). Affected software is MOVEit Transfer; impact involves unauthorized access across confidentiality, integrity, and availability (CVSS v3.1 base score 8.8, HIGH). Affected versions are MO...
CVE-2026-8801
Technical details about CVE-2026-8801 are not publicly available in the provided documents. Monitor for further updates from vendors and standard CVE sources.
CVE-2026-8649
Summary of CVE-2026-8649 : An instance of Improper Neutralization of Special Elements in Data Query Logic affects MOVEit Transfer (Custom Reports modules). The issue impacts MOVEit Transfer versions prior to 2025.0.7 and from 2025.1.0 up to before 2025.1.3. The CVSS vectors indicate a high-severi...
CVE-2026-8650
Vulnerability: Relative path traversal in Progress MOVEit Transfer (Admin Settings module). Affected versions: MOVEit Transfer before 2025.0.7, and from 2025.1.0 before 2025.1.3. Impact (as described): Authenticated path traversal that can allow viewing arbitrary system files. Notes: The provided...
CVE-2026-8651
MOVEit Transfer (HTTPS module) is affected by a limited authentication bypass via spoofing. Affected versions are MOVEit Transfer before 2025.0.7 and 2025.1.0 before 2025.1.3. The provided documents do not specify the root cause details beyond spoofing, nor explicit remediation steps or exploit s...
CVE-2026-10698
CVE-2026-10698 is an Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer, specifically affecting the Custom Reports module . Affected versions are MOVEit Transfer 2025.0.0–before 2025.0.8, 2025.1.0–before 2025.1.4, and 2026.0.0–before 2026.0.1...