CVE-2020-28647

low-risk
Published 2020-11-17

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Progress

References (6)

Vendor Advisory https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-Nov-2020
Exploit https://labs.secforce.com/posts/progress-moveit-transfer-2020.1-stored-xss-cve-2...
Vendor Advisory https://www.progress.com/
Vendor Advisory https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-Nov-2020
Exploit https://labs.secforce.com/posts/progress-moveit-transfer-2020.1-stored-xss-cve-2...
Vendor Advisory https://www.progress.com/
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal