Progress
Software
released
security
updates
to
fix
several
new
SQL
injection
vulnerabilities
in
the
MOVEit
Transfer
application.
Progress
Software
has
released
security
updates
to
address
new
SQL
injection
vulnerabilities
in
the
MOVEit
Transfer
application.
An
attacker
can
exploit
the
SQL
injection
vulnerabilities
in
the
MOVEit
Transfer
solution
to
steal
sensitive
information.
“SQL
Injection
(CVE
pending
MITRE)
In
Progress
MOVEit
Transfer
versions
released
before
2021.0.7
(13.0.7),
2021.1.5
(13.1.5),
2022.0.5
(14.0.5),
2022.1.6
(14.1.6),
2023.0.2
(15.0.2),
multiple
SQL
injection
vulnerabilities
have
been
identified
in
the
MOVEit
Transfer
web
application
that
could
allow
an
un-authenticated
attacker
to
gain
unauthorized
access
to
the
MOVEit
Transfer
database.”
reads
the
advisory
published
by
the
company.
“An
attacker
could
submit
a
crafted
payload
to
a
MOVEit
Transfer
application
endpoint
which
could
result
in
modification
and
disclosure
of
MOVEit
database
content.”
All
versions
of
MOVEit
Transfer
are
affected
by
these
vulnerabilities.
The
vulnerabilities
were
discovered
by
researchers
from
the
cybersecurity
firm
Huntress.
The
good
news
is
that
Progress
Software
is
not
aware
of
attacks
in
the
wild
exploiting
these
vulnerabilities.
Recently
another
MOVEit
Transfer
vulnerability,
tracked
as
CVE-2023-34362,
made
the
headlines.
The
vulnerability
is
a
SQL
injection
vulnerability,
it
can
be
exploited
by
an
unauthenticated
attacker
to
gain
unauthorized
access
to
MOVEit
Transfer’s
database.
The
Clop
ransomware
gang
claims
to
have
hacked
hundreds
of
companies
by
exploiting
the
above
issue.
Kroll
researchers
discovered
that
the
Clop
ransomware
gang
was
looking
for
a
zero-day
exploit
in
the
MOVEit
Transfer
since
2021.
Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking,
cyberattack)