CVE-2023-40043SQL Injection in Software Corporation Moveit Transfer

CWE-89SQL Injection3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.5%
top 35.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Progress Software Corporation Moveit TransferProgress Moveit Transfer
Timeline
PublishedSep 20

Description

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDprogress/moveit_transfer2022.0.02022.0.8+3
CVEListV5progress_software_corporation/moveit_transfer2023.0.0 (15.0.0)2023.0.6 (15.0.6)+3

🔴Vulnerability Details

2
CVEList
MOVEit Transfer System Administrator SQL Injection2023-09-20
GHSA
GHSA-fmqw-pc9c-vx39: In Progress MOVEit Transfer versions released before 20212023-09-20
CVE-2023-40043 — SQL Injection | cvebase