CVE-2020-8611

moderate-risk
Published 2020-02-14

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (2)

Moveit Transfer

Affected Vendors

Progress Progess

References (8)

Vendor Advisory https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilitie...
Release Notes https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443....
Release Notes https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677....
Product https://status.moveitcloud.com/
Vendor Advisory https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilitie...
Release Notes https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443....
Release Notes https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677....
Product https://status.moveitcloud.com/
37
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 0/34 · Minimal
Exposure 7/34 · Low