QID 150691

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch. It allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.

In the affected versions of MOVEit Transfer, a SQL injection vulnerability has been discovered in the MOVEit Transfer web application. This vulnerability could potentially enable an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being utilized (MySQL, Microsoft SQL Server, or Azure SQL), the attacker may be able to extract information regarding the structure and contents of the database. Additionally, they could execute SQL statements that have the ability to modify or delete elements within the database.

Affected Versions:
MOVEit Transfer Before 2021.0.6 (13.0.6)
MOVEit Transfer Before 2021.1.4 (13.1.4)
MOVEit Transfer Before 2022.0.4 (14.0.4)
MOVEit Transfer Before 2022.1.5 (14.1.5)
MOVEit Transfer Before 2023.0.1 (15.0.1)

Exploiting this vulnerability, an attacker without authentication could potentially gain access to the database, extract sensitive information, and execute SQL statements that modify or delete crucial database elements.