CVE-2021-37614SQL Injection in Moveit Transfer

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 61.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Progress Moveit Transfer
Timeline
PublishedAug 5
Latest updateMay 24

Description

In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Tra

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDprogress/moveit_transfer2019.12019.1.6+5

Patches

Patch: community.progress.comPatch: community.progress.com

🔴Vulnerability Details

2
GHSA
GHSA-6fhf-7rm6-v2w4: In certain Progress MOVEit Transfer versions before 20212022-05-24
CVEList
CVE-2021-37614: In certain Progress MOVEit Transfer versions before 20212021-08-05
CVE-2021-37614 — SQL Injection in Moveit Transfer | cvebase