CVE-2023-42656 — Cross-site Scripting in Software Corporation Moveit Transfer

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 94.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Progress Software Corporation Moveit Transfer Progress Moveit Transfer

Timeline

PublishedSep 20

Description

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDprogress/moveit_transfer2022.0.0 — 2022.0.8+3

▶CVEListV5progress_software_corporation/moveit_transfer2023.0.0 (15.0.0) — 2023.0.6 (15.0.6)+3

🔴Vulnerability Details

GHSA

GHSA-r768-9fhw-4p52: In Progress MOVEit Transfer versions released before 2021↗2023-09-20

▶

CVEList

MOVEit Transfer Reflected XSS↗2023-09-20

▶