CVE-2023-35708: SQL Injection
First published: Fri Jun 16 2023(Updated: )
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Progress MOVEit Transfer | <2020.1.10 | |
| Progress MOVEit Transfer | >=2021.0.6<2021.0.8 | |
| Progress MOVEit Transfer | >=2021.1.4<2021.1.6 | |
| Progress MOVEit Transfer | >=2022.0.4<2022.0.6 | |
| Progress MOVEit Transfer | >=2022.1.5<2022.1.7 | |
| Progress MOVEit Transfer | >=2023.0.1<2023.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
- https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability
- https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
- https://www.zdnet.com/article/ransomware-leak-site-reports-rose-by-49-in-2023-but-there-is-good-news/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-35708.
What is the severity of CVE-2023-35708?
CVE-2023-35708 has a severity value of 9.8, which is critical.
What is the affected software?
The affected software is Progress MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
What is the vulnerability description for CVE-2023-35708?
CVE-2023-35708 is a SQL injection vulnerability in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the system.
How do I fix CVE-2023-35708?
To fix CVE-2023-35708, it is recommended to update to MOVEit Transfer version 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), or 2023.0.3 (15.0.3), which contain the necessary security patches.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/zdnet-article
- source/ZDNet
- alias/CVE-2023-0669
- alias/CVE-2023-34362
- alias/CVE-2023-35036
- alias/CVE-2023-35708
- alias/CVE-2021-21974
- zeroday/true
- agent/news-ai
- vendor/progress
- canonical/progress moveit transfer
- version/progress moveit transfer/2021.0.6
- version/progress moveit transfer/2021.1.4
- version/progress moveit transfer/2022.0.4
- version/progress moveit transfer/2022.1.5
- version/progress moveit transfer/2023.0.1