Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer.
The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.
CVE-2023-36932 is a SQL injection flaw that can be exploited by attackers who are logged in to gain unauthorized access to the MOVEit Transfer database.
CVE-2023-36933, on the other hand, is a vulnerability that allows attackers to unexpectedly shut down the MOVEit Transfer program.
These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and earlier.
Users are strongly advised to update to the latest version of MOVEit Transfer to reduce the risks posed by these vulnerabilities.