CVE-2024-0396

Missing Server-Side Input Validation in HTTP Parameter

CVSS 7.1 HIGHEPSS 0.5%CWE-20

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.1EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

17 Jan 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Affected products

Progress Software Corporation · MOVEit Transfer

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024 https://www.progress.com/moveit