CVE-2023-36934

Name of the Vulnerable Software and Affected Versions MOVEit Transfer versions prior to 2020.1.11 (12.1.11) MOVEit Transfer versions prior to 2021.0.9 (13.0.9) MOVEit Transfer versions prior to 2021.1.7 (13.1.7) MOVEit Transfer versions prior to 2022.0.7 (14.0.7) MOVEit Transfer versions prior to 2022.1.8 (14.1.8) MOVEit Transfer versions prior to 2023.0.4 (15.0.4)

Description A SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint, such as the "human.aspx" endpoint, that could result in modification and disclosure of MOVEit database content. The vulnerability is related to the UserProcessPassChangeRequest parameter. This issue could allow a remote attacker to bypass security restrictions, execute arbitrary SQL code, and gain unauthorized access to read, modify, or delete data by sending specially crafted requests.

Recommendations As a temporary workaround, consider disabling the UserProcessPassChangeRequest parameter in the "human.aspx" endpoint until a patch is available. Restrict access to the MOVEit Transfer application endpoint to minimize the risk of exploitation. Avoid using the UserProcessPassChangeRequest parameter in the affected endpoint until the issue is resolved. Update to a version later than 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4) to resolve the issue.