MoveIt Transfer SQLi before 2023.0.6 Allowing DB Unauthorized Access
CVE-2023-40043 Published on September 20, 2023
MOVEit Transfer System Administrator SQL Injection
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator
could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.
Vulnerability Analysis
CVE-2023-40043 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2023-40043 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2023-40043
Want to know whenever a new CVE is published for Progress Moveit Transfer? stack.watch will email you.
Affected Versions
Progress Software Corporation MOVEit Transfer:- Version 2023.0.0 (15.0.0) and below 2023.0.6 (15.0.6) is affected.
- Version 2022.1.0 (14.1.0) and below 2022.1.9 (14.1.9) is affected.
- Version 2022.0.0 (14.0.0) and below 2022.0.8 (14.0.8) is affected.
- Version 2021.1.0 (13.1.0) and below 2021.1.8 (13.1.8) is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.