Progress has released security patches to address a critical SQL injection vulnerability, CVE-2023-36934, in its MOVEit Transfer software.
This comes after the software made headlines due to a significant Clop ransomware campaign exploiting a vulnerability in the product. The SQL injection flaw, if exploited by an unauthenticated attacker, could grant unauthorized access to the MOVEit Transfer database, potentially leading to the modification and disclosure of its content.
The vulnerability affects previous versions of the software, and customers are advised to update to the latest versions and apply the provided patches.
In addition to the critical SQL injection vulnerability, Progress has also addressed high-severity issues collectively tracked as CVE-2023-36932 in MOVEit Transfer software. These vulnerabilities, affecting earlier versions of the software, could allow an authenticated attacker to gain unauthorized access to the database, leading to potential modification and disclosure of MOVEit database content.
Furthermore, another high-severity issue, tracked as CVE-2023-36933, has been fixed by Progress. Exploiting this vulnerability could result in the unexpected termination of the MOVEit Transfer application.
Progress advises users to check their current software version and apply the relevant Service Pack. Full installers are recommended due to the nature of the included updates.
By installing the security patches and updating to the latest versions of MOVEit Transfer, organizations can mitigate the risk of exploitation and protect their systems from potential unauthorized access, data modification, and disclosure.
