CVE-2023-36932

CVE-2023-36932 is a high-severity software vulnerability found in several versions of MOVEit Transfer, a widely used file transfer solution. This flaw exposes multiple SQL vulnerabilities that can potentially allow unauthorized users to disclose and modify database content. The affected versions include those prior to 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). This vulnerability was discovered via the HackerOne platform. The exploitation of CVE-2023-36932 could enable an attacker to submit a specially crafted payload to a MOVEit Transfer application endpoint, resulting in the potential disclosure and alteration of MOVEit database content. As of the date of the advisory, there have been no known instances of this vulnerability being exploited in the wild. However, given its severity, users are strongly encouraged to apply patches as soon as possible. In addition to CVE-2023-36932, two other vulnerabilities were disclosed at the same time, one of which, tracked as CVE-2023-36934, is of critical severity and could allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database. This issue was identified by a Trend Micro researcher through the Zero Day Initiative. Given the seriousness of these vulnerabilities, it is essential for all users of the affected MOVEit Transfer versions to implement the recommended patches immediately to protect their systems and data.