"MOVEit Transfer Faces Another Critical Data-Theft Bug"

Another critical SQL injection vulnerability has recently been disclosed and patched in Progress Software's MOVEit Transfer software, the fourth such flaw revealed in the space of a month.  The security bug (CVE-2023-36934) is distinct from the former zero-day flaw that's being exploited with resounding success by the Cl0p ransomware gang.  But like that bug, it could allow unauthenticated cyber attackers to access MOVEit Transfer databases and, from there, execute malware, manipulate files, or exfiltrate information.  The company noted that an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.  The flaw hasn't been exploited in the wild so far, according to the company, but given its severity, users are urged to patch it as soon as possible, along with two high-severity vulnerabilities (CVE-2023-36932 and CVE-2023-36933) disclosed at the same time.  The bugs affect MOVEit Transfer versions 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier.

Dark Reading reports: "MOVEit Transfer Faces Another Critical Data-Theft Bug"