Three Security Vulnerabilities Found in Progress MOVEit Transfer

CVE-2023-42660

Progress Software has cautioned its user base of three newly discovered security flaws in its MOVEit Transfer solution. These vulnerabilities, if exploited, could let cyber adversaries purloin crucial data from customer databases or run malevolent JavaScript.

CVE-2023-42660

CVE-2023-42660 (CVSS score of 8.8): MOVEit Transfer Machine Interface SQL Injection

This vulnerability, pertaining to the MOVEit Transfer machine interface, could serve as a backdoor for authenticated malefactors to sneak into the MOVEit Transfer database. By dispatching a craftily designed payload to the machine interface, they could potentially modify or even lay bare the content of the MOVEit database. Affected versions stretch across multiple releases before the 2023.0.6 (15.0.6) update.

CVE-2023-40043 (CVSS score of 7.2): MOVEit Transfer System Administrator SQL Injection

While system administrators are typically the digital custodians ensuring system integrity, this flaw in the MOVEit Transfer web interface could see them become inadvertent culprits. If a MOVEit system administrator stumbles upon a crafty payload, they could potentially acquire unwarranted access to the MOVEit Transfer database. This, in turn, could allow alterations or even unwanted revelations of the database’s content. Versions at risk are akin to the aforementioned machine interface flaw.

CVE-2023-42656 (CVSS score of 6.1): MOVEit Transfer Reflected XSS

The MOVEit Transfer’s web interface seems to be a magnet for another vulnerability – a reflected cross-site scripting (XSS) loophole. The danger here lies in an attacker’s ability to create a devious payload during the package composition procedure. Unsuspecting MOVEit users, interacting with this payload, could inadvertently allow the attacker to run malignant JavaScript, putting their browser and potentially their device at risk.

Below you can find the current list of MOVEit Transfer versions that have a patch available for these new vulnerabilities:

Affected Version Fixed Version (Full Installer) Documentation Release Notes
MOVEit Transfer 2023.0.x (15.0.x) MOVEit Transfer 2023.0.6 (15.0.6) MOVEit 2023 Upgrade Documentation MOVEit Transfer 2023.0.6 Release Notes
MOVEit Transfer 2022.1.x (14.1.x) MOVEit Transfer 2022.1.9 (14.1.9) MOVEit 2022 Upgrade Documentation MOVEit Transfer 2022.1.9 Release Notes
MOVEit Transfer 2022.0.x (14.0.x) MOVEit Transfer 2022.0.8 (14.0.8) MOVEit 2022 Upgrade Documentation MOVEit Transfer 2022.0.8 Release Notes
MOVEit Transfer 2021.1.x (13.1.x) MOVEit Transfer 2021.1.8 (13.1.8) MOVEit 2021 Upgrade Documentation MOVEit Transfer 2021.1.8 Release Notes
MOVEit Transfer 2021.0.x (13.0.x) or older Must Upgrade to a Supported Version See MOVEit Transfer Upgrade and
Migration Guide  
N/A