Progress have identified a cross-site scripting vulnerability in the MOVEit Automation webadmin interface. This could potentially allow a session
to be hijacked to execute malicious code through the browser.
This affects MOVEit Automation Web Admin only (neither Transfer nor the old Automation ‘Fat client’ are affected).
All 2018 and 2019 versions of the software are at risk. Progress have produced patched versions of Automation to address this issue (see table below).
We would, however, like to be clear that on-premise installations of MOVEit Automation web admin that are not published to the internet do not have the same level of risk as those web admin interfaces that are reached from outside private networks. It is generally the case that MOVEit Automation Web Admin is inaccessible from outside a network.
In any event, we recommend that customers consider upgrading their MOVEit install to the patched version of the software at the earliest available opportunity.
|Vulnerable version||Fixed version|
|MOVEit Automation Web Admin 2018.0||MOVEit Automation Web Admin 2018.0.3|
|MOVEit Automation Web Admin 2018.2||MOVEit Automation Web Admin 2018.2.3|
|MOVEit Automation Web Admin 2018.3||MOVEit Automation Web Admin 2018.3.7|
|MOVEit Automation Web Admin 2019.0||MOVEit Automation Web Admin 2019.0.3|
|MOVEit Automation Web Admin 2019.1||MOVEit Automation Web Admin 2019.1.2|
|MOVEit Automation Web Admin 2019.2||MOVEit Automation Web Admin 2019.2.2|
To confirm your current version of MOVEit Automation, please navigate to the top menu inside the admin interface and select Help > About.
The upgrade can be accessed by logging in to the Progress Community – https://community.progress.
If you have any further questions or issues, please raise a support ticket by emailing firstname.lastname@example.org.