CVE-2024-0396 HIGH

CVE-2024-0396: Missing Server-Side Input Validation in HTTP Parameter

Vendor Progress Software Corporation
Product MOVEit Transfer
Weakness CWE-20 · Input validation
Published January 17, 2024
Last update November 13, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.

Key dates

02Disclosure timeline

January 17, 2024 CVE published
November 13, 2024 Record updated