Three Security Vulnerabilities Found in Progress MOVEit Transfer

Progress Software has cautioned its user base of three newly discovered security flaws in its MOVEit Transfer solution. These vulnerabilities, if exploited, could let cyber adversaries purloin crucial data from customer databases or run malevolent JavaScript.

CVE-2023-42660 (CVSS score of 8.8): MOVEit Transfer Machine Interface SQL Injection

This vulnerability, pertaining to the MOVEit Transfer machine interface, could serve as a backdoor for authenticated malefactors to sneak into the MOVEit Transfer database. By dispatching a craftily designed payload to the machine interface, they could potentially modify or even lay bare the content of the MOVEit database. Affected versions stretch across multiple releases before the 2023.0.6 (15.0.6) update.

CVE-2023-40043 (CVSS score of 7.2): MOVEit Transfer System Administrator SQL Injection

While system administrators are typically the digital custodians ensuring system integrity, this flaw in the MOVEit Transfer web interface could see them become inadvertent culprits. If a MOVEit system administrator stumbles upon a crafty payload, they could potentially acquire unwarranted access to the MOVEit Transfer database. This, in turn, could allow alterations or even unwanted revelations of the database’s content. Versions at risk are akin to the aforementioned machine interface flaw.

CVE-2023-42656 (CVSS score of 6.1): MOVEit Transfer Reflected XSS

The MOVEit Transfer’s web interface seems to be a magnet for another vulnerability – a reflected cross-site scripting (XSS) loophole. The danger here lies in an attacker’s ability to create a devious payload during the package composition procedure. Unsuspecting MOVEit users, interacting with this payload, could inadvertently allow the attacker to run malignant JavaScript, putting their browser and potentially their device at risk.

Below you can find the current list of MOVEit Transfer versions that have a patch available for these new vulnerabilities: