Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software

Share:

Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities.

The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.

SQL injection vulnerabilities are a well-known and dangerous security flaw that allows attackers to manipulate databases and run any code they want. Attackers can send specifically designed payloads to certain endpoints of the affected application, which could change or expose sensitive data in the database.

 

The reason CVE-2023-36934 is so critical is that it can be exploited without having to be logged in. This means that even attackers without valid credentials can potentially exploit the vulnerability. However, as of now, there have been no reports of this particular vulnerability being actively used by attackers.

This discovery comes after a series of recent cyberattacks that used a different SQL injection vulnerability (CVE-2023-34362) to target MOVEit Transfer with Clop ransomware. These attacks resulted in data theft and money extortion from affected organizations.

This latest security update from Progress Software also addresses two other high-severity vulnerabilities: CVE-2023-36932 and CVE-2023-36933.

CVE-2023-36932 is a SQL injection flaw that can be exploited by attackers who are logged in to gain unauthorized access to the MOVEit Transfer database. CVE-2023-36933, on the other hand, is a vulnerability that allows attackers to unexpectedly shut down the MOVEit Transfer program.

Researchers from HackerOne and Trend Micro’s Zero Day Initiative responsibly reported Progress Software about these vulnerabilities.

These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and earlier.

Progress Software has made the necessary updates available for all major MOVEit Transfer versions. Users are strongly advised to update to the latest version of MOVEit Transfer to reduce the risks posed by these vulnerabilities.

 

(c) The Hacker News

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
Austria, AT
10:27 pm, Dec 27, 2024
weather icon 1°C
L: 1° H: 1°
scattered clouds
Humidity 82 %
Pressure 1035 mb
Wind 6 mph SSE
Wind Gust Wind Gust: 5 mph
UV Index UV Index: 0
Precipitation Precipitation: 0 mm
Clouds Clouds: 46%
Rain Chance Rain Chance: 0%
Visibility Visibility: 10 km
Sunrise Sunrise: 7:53 am
Sunset Sunset: 4:22 pm
DailyHourly
Daily ForecastHourly Forecast
Scroll to Top