CVE-2023-35036: 
MOVEit Transfer vulnerability analysis and mitigation

SQL injection vulnerabilities were discovered in the MOVEit Transfer web application, identified as CVE-2023-35036. The vulnerability affects MOVEit Transfer versions before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). This critical vulnerability allows unauthenticated attackers to gain unauthorized access to the MOVEit Transfer's database (NVD).

The vulnerability is classified as an SQL injection (CWE-89) with a CVSS v3.1 base score of 9.1 (CRITICAL), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The vulnerability allows attackers to submit crafted payloads to MOVEit Transfer application endpoints, potentially resulting in unauthorized database access and manipulation (NVD).

The exploitation of this vulnerability can lead to unauthorized access to MOVEit Transfer's database, allowing attackers to modify and disclose database content. The high severity score reflects the potential for significant data breach and system compromise (NVD).

Organizations are advised to update to the latest patched versions: 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), or 2023.0.2 (15.0.2) depending on their current version track (Progress Community).

Security vendors like Palo Alto Networks have actively monitored the situation and provided guidance to their customers. Their Product Security Assurance team has evaluated the vulnerability and confirmed that their products are not impacted (Palo Alto).