CVE-2023-6217
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in Progress MOVEit Transfer allows attackers to execute malicious JavaScript in victims' browsers when MOVEit Gateway is deployed with MOVEit Transfer. Attackers can craft malicious payloads that trigger when users interact with them. Organizations using affected MOVEit Transfer versions with MOVEit Gateway are vulnerable.
💻 Affected Systems
- Progress MOVEit Transfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via drive-by downloads.
Likely Case
Session hijacking, credential theft, or unauthorized actions within the MOVEit application using stolen authentication tokens.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Requires user interaction with crafted payload; reflected XSS typically has low exploitation complexity
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7) or later
Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023
Restart Required: Yes
Instructions:
1. Download appropriate service pack from Progress support portal. 2. Backup current installation. 3. Apply service pack following vendor documentation. 4. Restart MOVEit services. 5. Verify successful update.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add 'Content-Security-Policy' header with appropriate directives
Input Validation Filtering
allImplement server-side input validation for all user inputs
Configure web application firewall rules to filter XSS payloads
🧯 If You Can't Patch
- Isolate MOVEit Gateway from internet access if possible
- Implement strict network segmentation and monitor for suspicious requests
🔍 How to Verify
Check if Vulnerable:
Check MOVEit Transfer version in admin interface and verify if MOVEit Gateway is deployedCheck Version:
Check MOVEit Transfer admin dashboard or review installation directory version filesVerify Fix Applied:
Confirm version is 2022.0.9/14.0.9, 2022.1.10/14.1.10, or 2023.0.7/15.0.7 or later📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in request logs
- Suspicious parameter values containing script tags
Network Indicators:
- HTTP requests with encoded script payloads in parameters
SIEM Query:
search source="moveit_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")