CVE-2023-6217 HIGH

CVE-2023-6217: MOVEit Transfer XSS via MOVEit Gateway

Vendor Progress Software Corporation
Product MOVEit Transfer
Weakness CWE-79 · XSS
Published November 29, 2023
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.  An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.

Key dates

02Disclosure timeline

November 29, 2023 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-7767 PHPGurukul Art Gallery Management System edit-art-medium-detail.php cross site scripting CVE-2023-7225 MapPress <= 2.88.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings CVE-2024-56245 WordPress Premium Blocks plugin <= 2.1.42 - Cross Site Scripting (XSS) vulnerability CVE-2022-36378 WordPress Floating Div plugin <= 3.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability CVE-2024-11371 Theater for WordPress <= 0.18.6.2 - Reflected Cross-Site Scripting