CVE-2023-35036

Name of the Vulnerable Software and Affected Versions MOVEit Transfer versions prior to 2021.0.7 (13.0.7) MOVEit Transfer versions prior to 2021.1.5 (13.1.5) MOVEit Transfer versions prior to 2022.0.5 (14.0.5) MOVEit Transfer versions prior to 2022.1.6 (14.1.6) MOVEit Transfer versions prior to 2023.0.2 (15.0.2)

Description SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. The vulnerability is related to the lack of protection of the SQL query structure.

Recommendations For versions prior to 2021.0.7 (13.0.7), update to a version that includes the fix for this issue. For versions prior to 2021.1.5 (13.1.5), update to a version that includes the fix for this issue. For versions prior to 2022.0.5 (14.0.5), update to a version that includes the fix for this issue. For versions prior to 2022.1.6 (14.1.6), update to a version that includes the fix for this issue. For versions prior to 2023.0.2 (15.0.2), update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the MOVEit Transfer application endpoint to minimize the risk of exploitation.