CVE-2023-42660

{"id": "CVE-2023-42660", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-09-20T17:15:11.550", "references": [{"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/moveit", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"}, {"lang": "es", "value": "En las versiones de MOVEit Transfer lanzadas antes de 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), se ha identificado una vulnerabilidad de inyecci\u00f3n SQL en la interfaz de la m\u00e1quina MOVEit Transfer que podr\u00eda permitir que un atacante autenticado obtenga acceso no autorizado a la base de datos de MOVEit Transfer. Un atacante podr\u00eda enviar un payload manipulado a la interfaz de la m\u00e1quina MOVEit Transfer, lo que podr\u00eda provocar la modificaci\u00f3n y divulgaci\u00f3n del contenido de la base de datos de MOVEit.\n"}], "lastModified": "2023-09-22T18:31:51.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6E9F262-3E55-48FF-94A0-09C0C80FE7C0", "versionEndExcluding": "2021.1.8"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1FFF5B1-D887-48EA-BFD1-FBD9F699DEA3", "versionEndExcluding": "2022.0.8", "versionStartIncluding": "2022.0.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64138C94-BAB8-45D2-93A1-31FC4D4F1E41", "versionEndExcluding": "2022.1.9", "versionStartIncluding": "2022.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C35AF1A0-05E8-4F69-9F99-91925C490EE9", "versionEndExcluding": "2023.0.6", "versionStartIncluding": "2023.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}