25 matches found
CVE-2023-34362
MOVEit Transfer CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web app that allows an unauthenticated attacker to access MOVEit databases. Affected versions include 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), with all ...
CVE-2023-35036
MOVEit Transfer is affected by a SQL injection vulnerability in its web application. Connected sources confirm an unauthenticated attacker could modify and disclose MOVEit’s database content due to how SQL queries are constructed. Affected versions include pre-2021.0.7 (13.0.7), 2021.1.5 (13.1.5)...
CVE-2024-5806
CVE-2024-5806 affects the MOVEit Transfer SFTP module. The issue is an Improper Authentication vulnerability that can lead to an Authentication Bypass . Affected versions include MOVEit Transfer 2023.0.x prior to 2023.0.11, 2023.1.x prior to 2023.1.6, and 2024.0.x prior to 2024.0.2. Root cause is...
CVE-2020-8612
CVE-2020-8612 affects Progress MOVEit Transfer: vulnerable in 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1 due to a REST API endpoint that does not adequately sanitize malicious input, enabling an authenticated attacker to execute arbitrary code in a user’s browser (XSS). Connected sources c...
CVE-2023-35708
MOVEit Transfer is affected by a SQL injection in the web application that can allow an unauthenticated attacker to modify and disclose MOVEit’s database content. Affected versions include 2020.1.10 (12.1.10) and 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023...
CVE-2020-8611
CVE-2020-8611 reports multiple SQL injection vulnerabilities in the REST API of MOVEit Transfer (versions 2019.1 prior to 2019.1.4 and 2019.2 prior to 2019.2.1). An authenticated attacker could gain unauthorized access to MOVEit Transfer’s database via the REST API, and depending on the database ...
CVE-2023-36934
MOVEit Transfer web application (versions 12.1.11, 13.0.9, 13.1.7, 14.0.7, 14.1.8, 15.0.4 and earlier) is affected by a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit database by sending a crafted payload to an application endpoi...
CVE-2021-38159
CVE-2021-38159 affects Progress MOVEit Transfer web applications; versions before 2021.0.4 (13.0.4) are vulnerable to unauthenticated SQL injection. An attacker could access the backend database, potentially inferring schema/data or executing statements that alter or delete elements, with impact ...
CVE-2023-40043
CVE-2023-40043 affects Progress MOVEit Transfer: a SQL injection in the web interface could let a MOVEit system administrator submit a crafted payload to modify and disclose database content. Affected are MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14....
CVE-2024-6576
CVE-2024-6576 - Progress MOVEit Transfer (SFTP module) : Affected MOVEit Transfer versions include 2023.0.0–2023.0.11, 2023.1.0–2023.1.6, and 2024.0.0–2024.0.2, with a root cause described as an improper authentication vulnerability that can lead to privilege escalation. Remediation per sources: ...
CVE-2023-36932
MOVEit Transfer contains CVE-2023-36932, a SQL injection vulnerability in the web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database by submitting crafted payloads to an application endpoint. Affected versions include pre-2020.1.11 (...
CVE-2024-2291
CVE-2024-2291 (MOVEit Transfer) is a logging bypass vulnerability affecting MOVEit Transfer versions prior to 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), and 2023.1.4 (15.1.4). An authenticated user can manipulate a request to bypass the web application’s logging mechanism, causi...
CVE-2023-42660
CVE-2023-42660 affects Progress MOVEit Transfer: a SQL injection in the MOVEit Transfer machine interface (web/machine interface) in versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6) could let an authenticated attacker gain unauthorized access to ...
CVE-2025-2324
The CVE-2025-2324 entry concerns an Improper Privilege Management issue in MOVEit Transfer (SFTP module) where users configured as Shared Accounts can gain elevated permissions. Affected versions are MOVEit Transfer: 2023.1.0–2023.1.11, 2024.0.0–2024.0.7, and 2024.1.0–2024.1.1. Remediations are t...
CVE-2023-36933
CVE-2023-36933 affects Progress MOVEit Transfer: an attacker could invoke a method that triggers an unhandled exception, causing the MOVEit Transfer application to terminate. Affected versions include pre-2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15...
CVE-2023-6218
MOVEit Transfer CVE-2023-6218 describes an elevation-of-privilege vulnerability where a group administrator can upgrade a group member to organization administrator. Affected products/versions are MOVEit Transfer prior to 2022.0.9 (14.0.9), prior to 2022.1.10 (14.1.10), and prior to 2023.0.7 (15....
CVE-2024-0396
CVE-2024-0396 affects Progress MOVEit Transfer. An authenticated user can manipulate a parameter in an HTTPS transaction, causing computational errors and potentially a denial of service. Affected versions include before 2022.0.10 (14.0.10), before 2022.1.11 (14.1.11), before 2023.0.8 (15.0.8), a...
CVE-2021-33894
MOVEit Transfer contains a SQL injection vulnerability in SILUtility.vb within MOVEit.DMZ.WebApp affecting multiple release lines (2019.x, 2020.x, 2021.x up to 2021.0.1). An authenticated attacker could access the database, and depending on the engine (MySQL, Microsoft SQL Server, or Azure SQL) p...
CVE-2021-31827
CVE-2021-31827 affects MOVEit Transfer (DMZ) up to version 2020.1 (12.1.1.116). The vulnerability is a SQL Injection in MOVEit.DMZ.WebApp’s SILHuman.vb (FolderApplySettingsRecurs path) that requires authentication and can allow an attacker to access the MOVEit Transfer database, infer schema/cont...
CVE-2020-28647
MOVEit Transfer (pre-2020.1) is affected by a stored XSS vulnerability: a malicious payload crafted by an attacker can be stored in the app and, when a user interacts with it, execute arbitrary code in the victim’s browser. Public advisories and a GitHub exploit example describe the existence of ...
CVE-2021-37614
In Progress MOVEit Transfer, a SQL injection vulnerability exists in the MOVEit Transfer web application for certain versions prior to 2021.0.3 (13.0.3). An authenticated remote attacker could potentially access the backend database, with the impact depending on the database engine (MySQL, Micros...
CVE-2023-6217
CVE-2023-6217 describes a reflected Cross-Site Scripting (XSS) vulnerability in MOVEit Transfer when used with MOVEit Gateway. Affected: MOVEit Transfer versions before 2022.0.9 (14.0.9), before 2022.1.10 (14.1.10), and before 2023.0.7 (15.0.7). Root cause: XSS in a combined MOVEit Gateway/Transf...
CVE-2023-42656
CVE-2023-42656 affects MOVEit Transfer prior to 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), and 2023.0.6 (15.0.6). The issue is a reflected cross-site scripting (XSS) vulnerability in MOVEit Transfer’s web interface. An attacker could craft a malicious payload during the package comp...
CVE-2025-13147
CVE-2025-13147 concerns Progress MOVEit Transfer. A(Server-Side) SSRF vulnerability exists in MOVEit Transfer core handling, affecting versions before 2024.1.8 and 2025.0.0 up to before 2025.0.4. The issue allows an attacker to cause the server to make unauthorized requests, potentially accessing...
CVE-2025-11235
Progress MOVEit Transfer on Windows REST API modules is affected by an unverified password change vulnerability. Affected versions include MOVEit Transfer 2022.0.0–2022.0.10, 2022.1.0–2022.1.11, 2023.0.0–2023.0.8, and 2023.1.0–2023.1.3. The issue is documented across multiple sources (including R...