Progress Software late last week shipped fixes for further vulnerabilities in its MOVEit Transfer software, with the US Cyber and Infrastructure Security Agency (CISA) urging users to install the patches immediately.
CISA noted that CVE-2023-36934, CVE-2023-36932 and CVE-2023-36933 are new vulnerabilities.
The most serious vulnerability is CVE-2023-36934, which Progress Software rates as “critical”.
Unpatched versions of the MOVEit Transfer web application have a SQL injection vulnerability.
If triggered by a crafted payload, the vulnerability can be exploited to get unauthorised access to the MOVEit Transfer database, exposing database content to “modification and disclosure”.
The bug is credited to Guy Lederfein of Trend Micro working with the Zero Day Initiative.
CVE-2023-36932 identifies a number of other SQL injection vulnerabilities rated “high” severity.
Once again, the vulnerabilities can be triggered by crafted payloads to expose the database to modification and disclosure.
Progress Software credits these bugs to cchav3z at HackerOne, Nicolas Zilio for CrowdStrike and hoangha2, hoangnx, and duongdpt (Q5Ca) with VCSLAB of Viettel Cyber Security.
Finally, CVE-2023-36933 allows an attacker to crash MOVEit Transfer by invoking “a method that results in an unhandled exception.”
James Horseman at HackerOne is credited with discovering this vulnerability.
Progress Software published patches for the bugs late last week.
