CVE-2023-36932

Name of the Vulnerable Software and Affected Versions MOVEit Transfer versions prior to 2020.1.11 (12.1.11) MOVEit Transfer versions prior to 2021.0.9 (13.0.9) MOVEit Transfer versions prior to 2021.1.7 (13.1.7) MOVEit Transfer versions prior to 2022.0.7 (14.0.7) MOVEit Transfer versions prior to 2022.1.8 (14.1.8) MOVEit Transfer versions prior to 2023.0.4 (15.0.4)

Description The issue is related to SQL injection vulnerabilities in the MOVEit Transfer web application. These vulnerabilities could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database by submitting a crafted payload to a MOVEit Transfer application endpoint. This could result in the modification and disclosure of MOVEit database content. An attacker could exploit this issue to bypass security restrictions, execute arbitrary SQL code, and gain unauthorized access to read, modify, or delete data by sending specially crafted requests.

Recommendations For MOVEit Transfer versions prior to 2020.1.11 (12.1.11), update to version 2020.1.11 or later. For MOVEit Transfer versions prior to 2021.0.9 (13.0.9), update to version 2021.0.9 or later. For MOVEit Transfer versions prior to 2021.1.7 (13.1.7), update to version 2021.1.7 or later. For MOVEit Transfer versions prior to 2022.0.7 (14.0.7), update to version 2022.0.7 or later. For MOVEit Transfer versions prior to 2022.1.8 (14.1.8), update to version 2022.1.8 or later. For MOVEit Transfer versions prior to 2023.0.4 (15.0.4), update to version 2023.0.4 or later. As a temporary workaround, consider restricting access to the MOVEit Transfer application endpoint to minimize the risk of exploitation.