vulnerability
Progress MOVEit Transfer: CVE-2023-35708: Improper Neutralization of Special Elements used in an SQL Command
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Jun 16, 2023 | Jun 21, 2023 | Feb 11, 2026 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Jun 16, 2023
Added
Jun 21, 2023
Modified
Feb 11, 2026
Description
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Solution
progress-moveit-transfer-upgrade-latest
References
- CVE-2023-35708
- https://attackerkb.com/topics/CVE-2023-35708
- URL-https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
- URL-https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability
- URL-https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
- CWE-89
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.