Skip to the content.

DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934

Our reference DIVD-2023-00028
Case lead Célistine Oosting
Researcher(s)
CVE(s)
Products
  • MOVEit Transfer
Versions
  • < 2020.1.11 (12.1.11)
  • < 2021.0.9 (13.0.9)
  • < 2021.1.7 (13.1.7)
  • < 2022.0.7 (14.0.7)
  • < 2022.1.8 (14.1.8)
  • < 2023.0.4 (15.0.4)
Recommendation Update to the applicable version of MOVEit Transfer listed in the versions section.
Patch status Fully patched
Status Open
Last modified 20 Jul 2023 11:20

Summary

Progress has discovered a new SQL Injection vulnerability in their product MOVEit Transfer, a managed file transfer application. Just like the previous vulnerability, misuse of this vulnerability could lead to privilege escalation and data theft.

What you can do

Progress has released patches for this vulnerability. If you haven’t applied the patch for the previous vulnerabilities (CVE-2023-34362), it’s important to follow the following remediation steps:

After following these steps it’s recommended to update to the latest version of MOVEit Transfer.

What we are doing

DIVD is working on identifying vulnerable parties and notifying them. We do this by finding MOVEit instances and extracting the version name from them. Vulnerable parties will receive an email from DIVD.

Timeline

Date Description
06 Jul 2023 Progress announces patches for a new critical vulnerability in MOVEit Transfer
10 Jul 2023 DIVD starts initial scans
15 Jul 2023 First version of this case file
20 Jul 2023 Informed vulnerable parties
gantt title DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934 (still open) :2023-07-06, 2024-04-30 section Events Progress announces patches for a new critical vulnerability in MOVEit Transfer : milestone, 2023-07-06, 0d DIVD starts initial scans : milestone, 2023-07-10, 0d First version of this case file : milestone, 2023-07-15, 0d Informed vulnerable parties : milestone, 2023-07-20, 0d

More information