CVE-2023-6217 Overview
A reflected cross-site scripting (XSS) vulnerability has been identified in Progress MOVEit Transfer when MOVEit Gateway is used in conjunction with MOVEit Transfer. This vulnerability exists in multiple versions of MOVEit Transfer released before the November 2023 service pack.
An attacker could craft a malicious payload targeting systems comprising a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim's browser, potentially leading to session hijacking, credential theft, or further attack propagation.
Critical Impact
This XSS vulnerability allows attackers to execute arbitrary JavaScript in user browsers, potentially compromising session tokens, stealing credentials, or performing unauthorized actions on behalf of authenticated MOVEit users.
Affected Products
- Progress MOVEit Transfer versions before 2022.0.9 (14.0.9)
- Progress MOVEit Transfer versions before 2022.1.10 (14.1.10)
- Progress MOVEit Transfer versions before 2023.0.7 (15.0.7)
Discovery Timeline
- 2023-11-29 - CVE-2023-6217 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-6217
Vulnerability Analysis
This reflected XSS vulnerability (CWE-79) occurs in Progress MOVEit Transfer deployments that utilize MOVEit Gateway. The vulnerability requires user interaction to exploit, as the victim must interact with a specially crafted malicious payload. The scope is changed, meaning the vulnerable component impacts resources beyond its security scope, affecting both confidentiality and integrity of user sessions.
The attack is network-based with low complexity, requiring no privileges to execute. However, successful exploitation depends on tricking a user into clicking a malicious link or visiting a compromised page that redirects to the vulnerable endpoint.
Root Cause
The root cause stems from improper neutralization of user-supplied input in the web interface components that handle communication between MOVEit Gateway and MOVEit Transfer. When user input is reflected in web page output without adequate sanitization or encoding, it enables the execution of attacker-controlled scripts in the browser context.
Attack Vector
The attack leverages the network-accessible interface of MOVEit Transfer when configured with MOVEit Gateway. An attacker crafts a malicious URL or payload containing JavaScript code and distributes it to potential victims through phishing emails, malicious websites, or other social engineering techniques. When a victim clicks the link while authenticated to MOVEit Transfer, the malicious script executes with their session privileges.
The vulnerability can be exploited to steal session cookies, capture user credentials, perform actions on behalf of the victim, or redirect users to malicious sites. Since MOVEit Transfer handles sensitive file transfers, successful exploitation could lead to unauthorized access to confidential documents or further compromise of enterprise systems.
Detection Methods for CVE-2023-6217
Indicators of Compromise
- Unusual URL parameters containing JavaScript code or encoded script tags in MOVEit Transfer access logs
- Web server logs showing requests with <script> tags, javascript: protocol handlers, or event handler attributes in query strings
- Alert triggers from web application firewalls detecting XSS patterns targeting MOVEit endpoints
- User reports of unexpected browser behavior or redirects when accessing MOVEit Transfer
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block common XSS payloads in requests to MOVEit Transfer
- Monitor HTTP access logs for suspicious query parameters containing script injection patterns
- Implement browser-based XSS protection headers and Content Security Policy (CSP) to limit script execution
- Review authentication logs for anomalous session activity that could indicate session token theft
Monitoring Recommendations
- Enable detailed logging on MOVEit Transfer and Gateway components to capture full request URLs
- Configure SIEM rules to alert on XSS signature patterns in web traffic to MOVEit infrastructure
- Monitor for unusual user account activity that could indicate compromised sessions
- Track browser security header violations that may indicate XSS attempts
How to Mitigate CVE-2023-6217
Immediate Actions Required
- Upgrade Progress MOVEit Transfer to version 2022.0.9 (14.0.9) or later, 2022.1.10 (14.1.10) or later, or 2023.0.7 (15.0.7) or later
- Review the Progress MOVEit Transfer Service Pack November 2023 for complete patching instructions
- Educate users about the risks of clicking suspicious links, especially those claiming to be MOVEit Transfer URLs
- Implement Content Security Policy headers to reduce the impact of potential XSS attacks
Patch Information
Progress has released security patches addressing this vulnerability in the November 2023 service pack. Organizations should apply the appropriate patch based on their installed version:
| Current Version Branch | Patched Version |
|---|---|
| 2022.0.x (14.0.x) | 2022.0.9 (14.0.9) |
| 2022.1.x (14.1.x) | 2022.1.10 (14.1.10) |
| 2023.0.x (15.0.x) | 2023.0.7 (15.0.7) |
For detailed patch instructions and download links, refer to the Progress Community Advisory.
Workarounds
- Deploy a web application firewall (WAF) with XSS filtering rules in front of MOVEit Transfer as a temporary mitigation
- Implement strict Content Security Policy headers to prevent inline script execution
- Restrict network access to MOVEit Transfer interfaces to trusted IP ranges where possible
- Consider temporarily disabling MOVEit Gateway integration if not critical to operations until patching is complete
# Example Content Security Policy header configuration (Apache)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
