New MOVEit Transfer SQL Injection Vulnerabilities Discovered - Patch Now!
According to the security advisory by the Progress team, both SQL injection vulnerability was found by Progress engineers and XSS was reported through Bugcrowd by the researcher going with the handle HusseiN98D.
A zero-day vulnerability in Progress-owned MOVEit software tracked as CVE-2023-34362, was mass exploited by the Clop ransomware gang, to steal data from large organizations worldwide. The organizations previously reported to be affected by MOVEit vulnerability include Shell, BBC, British Airways, Boots, CalPERS, Aer Lingus, Honeywell, and US government agencies.
The first SQL injection vulnerability CVE-2023-40043 has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.
Another SQL injection flaw identified as CVE-2023-42660, was discovered in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.
The two SQL injection security issues impact multiple versions of MOVEit Transfer, including 13.1.8 and older, 14.0.8 and older, 14.1.9 and older, and 15.0.6 and older.
A third vulnerability addressed with this patch is CVE-2023-42656, which is a reflected cross-site scripting (XSS) vulnerability that has been identified in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.
This flaw impacts MOVEit Transfer versions 13.1.8 and older, 14.0.8 and older, 14.1.9 and older, and 15.0.6 and older.
Users of MOVEit Transfer are recommended to upgrade to the versions highlighted in the below table, which address the mentioned vulnerabilities.
| Affected Version | Fixed Version (Full Installer) | Documentation | Release Notes |
|---|---|---|---|
| MOVEit Transfer 2023.0.x (15.0.x) | MOVEit Transfer 2023.0.6 (15.0.6) | MOVEit 2023 Upgrade Documentation | MOVEit Transfer 2023.0.6 Release Notes |
| MOVEit Transfer 2022.1.x (14.1.x) | MOVEit Transfer 2022.1.9 (14.1.9) | MOVEit 2022 Upgrade Documentation | MOVEit Transfer 2022.1.9 Release Notes |
| MOVEit Transfer 2022.0.x (14.0.x) | MOVEit Transfer 2022.0.8 (14.0.8) | MOVEit 2022 Upgrade Documentation | MOVEit Transfer 2022.0.8 Release Notes |
| MOVEit Transfer 2021.1.x (13.1.x) | MOVEit Transfer 2021.1.8 (13.1.8) | MOVEit 2021 Upgrade Documentation | MOVEit Transfer 2021.1.8 Release Notes |
| MOVEit Transfer 2021.0.x (13.0.x) or older | Must Upgrade to a Supported Version | See MOVEit Transfer Upgrade and Migration Guide |
N/A |
![Pirates Bay Proxy List 2024: Unblock The Pirate bay33 [April Updated]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSLpBFGVKLEpg0rc9hECOaiGYOmFojg3gsCSrkKpqXYG0RxcBV7t3BFsdegN7e8J3UyclrJWT5N7mCzorsDb1hm66s6Pu91SJOEAQJxeodTlFuiPFEy77VIvaNZD2GlPf3jNlWLwhP8CS7WHCb9avIIPNAtdmVhoIXx3ybf26WAWInoDnBsp4aLtZ1/w250-h250-p-k-no-nu/The%20Pirate%20Bay%20proxies%202023.webp)
