CVE-2023-40043

Name of the Vulnerable Software and Affected Versions MOVEit Transfer versions prior to 2021.1.8 (13.1.8) MOVEit Transfer versions prior to 2022.0.8 (14.0.8) MOVEit Transfer versions prior to 2022.1.9 (14.1.9) MOVEit Transfer versions prior to 2023.0.6 (15.0.6)

Description A SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content. The vulnerability is related to the lack of validation of XML object sequences.

Recommendations For versions prior to 2021.1.8 (13.1.8), update to version 2021.1.8 (13.1.8) or later. For versions prior to 2022.0.8 (14.0.8), update to version 2022.0.8 (14.0.8) or later. For versions prior to 2022.1.9 (14.1.9), update to version 2022.1.9 (14.1.9) or later. For versions prior to 2023.0.6 (15.0.6), update to version 2023.0.6 (15.0.6) or later. As a temporary workaround, consider restricting access to the MOVEit Transfer web interface to minimize the risk of exploitation.