QSearchQSearch

CVE-2021-38159

9.8 CRITICAL

In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could all...

Published: 2021-08-07 · Last updated: 2026-06-17

Severity and scoring

CVSS
9.8 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-89

Affected products

VendorProduct
progressmoveit_transfer

Description

In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-7313 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote a... (8.7 HIGH)
  • CVE-2026-7312 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 t... (10.0 CRITICAL)
  • CVE-2026-7201 CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 1... (8.8 HIGH)
  • CVE-2026-7198 CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attack... (9.8 CRITICAL)
  • CVE-2026-7195 CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15... (8.8 HIGH)

Same CWE

  • CVE-2026-52715 Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions (9.3 CRITICAL)
  • CVE-2026-52712 Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions (7.6 HIGH)
  • CVE-2026-49772 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events C... (9.3 CRITICAL)
  • CVE-2026-39581 Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions (8.5 HIGH)
  • CVE-2026-39574 Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions (9.3 CRITICAL)