{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40043", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2023-08-08T19:44:41.111Z", "datePublished": "2023-09-20T16:06:00.755Z", "dateUpdated": "2025-02-27T20:49:18.650Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["MOVEit Transfer Web Interface"], "product": "MOVEit Transfer", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "2023.0.6 (15.0.6)", "status": "affected", "version": "2023.0.0 (15.0.0)", "versionType": "semver"}, {"lessThan": "2022.1.9 (14.1.9)", "status": "affected", "version": "2022.1.0 (14.1.0)", "versionType": "semver"}, {"lessThan": "2022.0.8 (14.0.8)", "status": "affected", "version": "2022.0.0 (14.0.0)", "versionType": "semver"}, {"lessThan": "2021.1.8 (13.1.8)", "status": "affected", "version": "2021.1.0 (13.1.0)", "versionType": "semver"}]}], "datePublic": "2023-09-20T16:05:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface&nbsp;that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A&nbsp;MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.</span>\n\n"}], "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u00a0that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u00a0MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2023-09-20T16:15:19.179Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}], "source": {"discovery": "UNKNOWN"}, "title": "MOVEit Transfer System Administrator SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.973Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-26T21:50:59.729139Z", "id": "CVE-2023-40043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T20:49:18.650Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40043", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2023-08-08T19:44:41.111Z", "datePublished": "2023-09-20T16:06:00.755Z", "dateUpdated": "2025-02-27T20:49:18.650Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["MOVEit Transfer Web Interface"], "product": "MOVEit Transfer", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "2023.0.6 (15.0.6)", "status": "affected", "version": "2023.0.0 (15.0.0)", "versionType": "semver"}, {"lessThan": "2022.1.9 (14.1.9)", "status": "affected", "version": "2022.1.0 (14.1.0)", "versionType": "semver"}, {"lessThan": "2022.0.8 (14.0.8)", "status": "affected", "version": "2022.0.0 (14.0.0)", "versionType": "semver"}, {"lessThan": "2021.1.8 (13.1.8)", "status": "affected", "version": "2021.1.0 (13.1.0)", "versionType": "semver"}]}], "datePublic": "2023-09-20T16:05:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface&nbsp;that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A&nbsp;MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.</span>\n\n"}], "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u00a0that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u00a0MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2023-09-20T16:15:19.179Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}], "source": {"discovery": "UNKNOWN"}, "title": "MOVEit Transfer System Administrator SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.973Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-26T21:50:59.729139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-26T20:36:26.389Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6E9F262-3E55-48FF-94A0-09C0C80FE7C0", "versionEndExcluding": "2021.1.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1FFF5B1-D887-48EA-BFD1-FBD9F699DEA3", "versionEndExcluding": "2022.0.8", "versionStartIncluding": "2022.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "64138C94-BAB8-45D2-93A1-31FC4D4F1E41", "versionEndExcluding": "2022.1.9", "versionStartIncluding": "2022.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "C35AF1A0-05E8-4F69-9F99-91925C490EE9", "versionEndExcluding": "2023.0.6", "versionStartIncluding": "2023.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u00a0that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u00a0MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\n\n"}, {"lang": "es", "value": "En las versiones de MOVEit Transfer lanzadas antes de 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), se ha identificado una vulnerabilidad de inyecci\u00f3n SQL en la interfaz web de MOVEit Transfer que podr\u00eda permitir que una cuenta de administrador del sistema MOVEit obtenga acceso no autorizado a la base de datos de MOVEit Transfer. Un administrador del sistema MOVEit podr\u00eda enviar un payload manipulado a la interfaz web de MOVEit Transfer, lo que podr\u00eda dar como resultado la modificaci\u00f3n y divulgaci\u00f3n del contenido de la base de datos de MOVEit."}], "id": "CVE-2023-40043", "lastModified": "2024-11-21T08:18:35.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-20T17:15:11.240", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/moveit"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.progress.com/moveit"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}