Moveit Transfer
Monthly
Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. There is no public exploit identified at time of analysis and EPSS is low (0.25%), while CISA SSVC rates exploitation as none and technical impact as only partial.
Privilege/authorization bypass in Progress MOVEit Transfer's Audit User module lets an authenticated low-privileged user perform actions beyond their intended permissions, achieving high confidentiality, integrity, and availability impact (CVSS 8.8). Affected builds are all releases before 2025.0.7 and the 2025.1.x line before 2025.1.3. No public exploit has been identified at time of analysis, and the low EPSS score (0.18%, 8th percentile) with CISA SSVC marking exploitation as 'none' indicates no observed exploitation despite MOVEit's history as a ransomware target.
Authentication bypass by spoofing in Progress MOVEit Transfer's HTTPS module allows remote unauthenticated attackers to impersonate or partially bypass identity verification, compromising integrity (CVSS 7.5, I:H) without exposing or destroying data (C:N/A:N). The flaw affects MOVEit Transfer builds before 2025.0.7 and the 2025.1.x line before 2025.1.3; a vendor patch is available. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, but MOVEit Transfer's history as a mass-exploitation target warrants prompt patching.
Path traversal in Progress MOVEit Transfer's Admin Settings module (versions before 2025.0.7 and 2025.1.0 before 2025.1.3) lets remote attackers supply relative '../' sequences to read files outside the intended directory, exposing sensitive configuration or system data. The CVSS 3.1 vector scores it 7.5 with confidentiality-only impact (C:H/I:N/A:N) and no listed authentication (PR:N), though the 'Admin Settings' location warrants scrutiny of that claim. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and CISA SSVC records no known exploitation.
SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.
Stored/reflected cross-site scripting in the Ad Hoc Transfer module of Progress MOVEit Transfer lets an authenticated low-privilege user inject script that executes in another user's browser session, per the CVSS PR:L/UI:R vector. Affected builds are 2026.0.0 before 2026.0.1, 2025.1.0 before 2025.1.4, and 2025.0.0 before 2025.0.8. No public exploit identified at time of analysis, though MOVEit Transfer's history as a mass-exploitation target (prior GoAnywhere/MOVEit campaigns) makes prompt patching prudent.
Denial of service in Progress MOVEit Transfer (Custom Reports modules) allows remote attackers to exhaust server memory through a missing-release-of-memory (memory leak) flaw, degrading availability of the managed file transfer service. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, and is addressed in the Progress Critical Security Bulletin of June 2026. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.1.8, from 2025.0.0 before 2025.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.1.0 before 2023.1.12, from 2024.0.0 before. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. There is no public exploit identified at time of analysis and EPSS is low (0.25%), while CISA SSVC rates exploitation as none and technical impact as only partial.
Privilege/authorization bypass in Progress MOVEit Transfer's Audit User module lets an authenticated low-privileged user perform actions beyond their intended permissions, achieving high confidentiality, integrity, and availability impact (CVSS 8.8). Affected builds are all releases before 2025.0.7 and the 2025.1.x line before 2025.1.3. No public exploit has been identified at time of analysis, and the low EPSS score (0.18%, 8th percentile) with CISA SSVC marking exploitation as 'none' indicates no observed exploitation despite MOVEit's history as a ransomware target.
Authentication bypass by spoofing in Progress MOVEit Transfer's HTTPS module allows remote unauthenticated attackers to impersonate or partially bypass identity verification, compromising integrity (CVSS 7.5, I:H) without exposing or destroying data (C:N/A:N). The flaw affects MOVEit Transfer builds before 2025.0.7 and the 2025.1.x line before 2025.1.3; a vendor patch is available. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, but MOVEit Transfer's history as a mass-exploitation target warrants prompt patching.
Path traversal in Progress MOVEit Transfer's Admin Settings module (versions before 2025.0.7 and 2025.1.0 before 2025.1.3) lets remote attackers supply relative '../' sequences to read files outside the intended directory, exposing sensitive configuration or system data. The CVSS 3.1 vector scores it 7.5 with confidentiality-only impact (C:H/I:N/A:N) and no listed authentication (PR:N), though the 'Admin Settings' location warrants scrutiny of that claim. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and CISA SSVC records no known exploitation.
SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.
Stored/reflected cross-site scripting in the Ad Hoc Transfer module of Progress MOVEit Transfer lets an authenticated low-privilege user inject script that executes in another user's browser session, per the CVSS PR:L/UI:R vector. Affected builds are 2026.0.0 before 2026.0.1, 2025.1.0 before 2025.1.4, and 2025.0.0 before 2025.0.8. No public exploit identified at time of analysis, though MOVEit Transfer's history as a mass-exploitation target (prior GoAnywhere/MOVEit campaigns) makes prompt patching prudent.
Denial of service in Progress MOVEit Transfer (Custom Reports modules) allows remote attackers to exhaust server memory through a missing-release-of-memory (memory leak) flaw, degrading availability of the managed file transfer service. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, and is addressed in the Progress Critical Security Bulletin of June 2026. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.1.8, from 2025.0.0 before 2025.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.1.0 before 2023.1.12, from 2024.0.0 before. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.