CVE-2020-8612 - OpenCVE

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Progess	Moveit Transfer
Progress	Moveit Transfer

Configuration 1 [-]

OR	cpe:2.3:a:progess:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

References

Link	Resource
https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020	Patch Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm	Release Notes Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm	Release Notes Vendor Advisory
https://status.moveitcloud.com/	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-14T18:02:08

Updated: 2020-02-14T18:02:08

Reserved: 2020-02-04T00:00:00

Link: CVE-2020-8612

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-14T19:15:10.590

Modified: 2020-02-20T14:58:20.547

Link: CVE-2020-8612

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-14T18:02:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm"}, {"tags": ["x_refsource_MISC"], "url": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://status.moveitcloud.com/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8612", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm", "refsource": "CONFIRM", "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm"}, {"name": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020", "refsource": "MISC", "url": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020"}, {"name": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm", "refsource": "CONFIRM", "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm"}, {"name": "https://status.moveitcloud.com/", "refsource": "CONFIRM", "url": "https://status.moveitcloud.com/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8612", "datePublished": "2020-02-14T18:02:08", "dateReserved": "2020-02-04T00:00:00", "dateUpdated": "2020-02-14T18:02:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progess:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3A90B52-67F8-446C-AA38-31FD0FE6C5C9", "versionEndExcluding": "2019.1.4", "versionStartIncluding": "2019.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "49F7D6BB-5E06-47B6-82F1-F2EE6BE38924", "versionEndExcluding": "2019.2.1", "versionStartIncluding": "2019.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS."}, {"lang": "es", "value": "En Progress MOVEit Transfer versiones 2019.1 anteriores a 2019.1.4 y versiones 2019.2 anteriores a 2019.2.1, un endpoint de la API REST fall\u00f3 en sanear adecuadamente una entrada maliciosa, lo que podr\u00eda permitir a un atacante autenticado ejecutar c\u00f3digo arbitrario en el navegador de una v\u00edctima, tambi\u00e9n se conoce como una vulnerabilidad de tipo cross-site scripting (XSS)."}], "id": "CVE-2020-8612", "lastModified": "2020-02-20T14:58:20.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-14T19:15:10.590", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://status.moveitcloud.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}