You can now find Cyber Kendra on Google News!

New MOVEit Transfer SQL Injection Vulnerabilities Discovered - Patch Now!

MOVEit Transfer SQL Injection Vulnerabilities
Progress Software has released security updates for its MOVEit Transfer file transfer application. The updates fix a couple of SQL injection vulnerabilities and one Reflected Cross-Site Scripted (XSS) that could have allowed hackers to steal sensitive information from the application.

According to the security advisory by the Progress team, both SQL injection vulnerability was found by Progress engineers and XSS was reported through Bugcrowd by the researcher going with the handle HusseiN98D.

A zero-day vulnerability in Progress-owned MOVEit software tracked as CVE-2023-34362, was mass exploited by the Clop ransomware gang, to steal data from large organizations worldwide. The organizations previously reported to be affected by MOVEit vulnerability include Shell, BBC, British Airways, Boots, CalPERS, Aer Lingus, Honeywell, and US government agencies. 

The first SQL injection vulnerability CVE-2023-40043 has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content. 

Another SQL injection flaw identified as CVE-2023-42660, was discovered in MOVEit Transfer's web interface.  An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure.  If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.

The two SQL injection security issues impact multiple versions of MOVEit Transfer, including 13.1.8 and older, 14.0.8 and older, 14.1.9 and older, and 15.0.6 and older.

A third vulnerability addressed with this patch is CVE-2023-42656, which is a reflected cross-site scripting (XSS) vulnerability that has been identified in MOVEit Transfer's web interface.  An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure.  If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.

This flaw impacts MOVEit Transfer versions 13.1.8 and older, 14.0.8 and older, 14.1.9 and older, and 15.0.6 and older.

Users of MOVEit Transfer are recommended to upgrade to the versions highlighted in the below table, which address the mentioned vulnerabilities.

Affected Version Fixed Version (Full Installer) Documentation Release Notes
MOVEit Transfer 2023.0.x (15.0.x) MOVEit Transfer 2023.0.6 (15.0.6) MOVEit 2023 Upgrade Documentation MOVEit Transfer 2023.0.6 Release Notes
MOVEit Transfer 2022.1.x (14.1.x) MOVEit Transfer 2022.1.9 (14.1.9) MOVEit 2022 Upgrade Documentation MOVEit Transfer 2022.1.9 Release Notes
MOVEit Transfer 2022.0.x (14.0.x) MOVEit Transfer 2022.0.8 (14.0.8) MOVEit 2022 Upgrade Documentation MOVEit Transfer 2022.0.8 Release Notes
MOVEit Transfer 2021.1.x (13.1.x) MOVEit Transfer 2021.1.8 (13.1.8) MOVEit 2021 Upgrade Documentation MOVEit Transfer 2021.1.8 Release Notes
MOVEit Transfer 2021.0.x (13.0.x) or older Must Upgrade to a Supported Version See MOVEit Transfer Upgrade and
Migration Guide
N/A

Post a Comment