CVE-2023-36932: 
MOVEit Transfer vulnerability analysis and mitigation

Multiple SQL injection vulnerabilities were identified in the MOVEit Transfer web application (CVE-2023-36932), affecting versions before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The vulnerability was disclosed in July 2023 and allows authenticated attackers to gain unauthorized access to the MOVEit Transfer database (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-89 (SQL Injection), where an attacker could submit crafted payloads to application endpoints resulting in unauthorized database access (NVD).

If exploited, this vulnerability could allow attackers to modify and disclose MOVEit database content, potentially compromising sensitive data stored within the system. The high CVSS score reflects the significant potential impact on data confidentiality and integrity (NVD).

Progress has released security patches to address these vulnerabilities. Users are advised to upgrade to the following versions: 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), or 2023.0.4 (15.0.4) (Progress Advisory).