Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

The flawed logic leads to character set validation being applied only to the last multipart content type header, even if the application iterates over all headers in the request.“This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection,” Progressexplains.Successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances.Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1.The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible.Related:Organizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesRelated:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

“This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection,” Progressexplains.Successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances.Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1.The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible.Related:Organizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesRelated:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances.Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1.The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible.Related:Organizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesRelated:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1.The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible.Related:Organizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesRelated:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible.Related:Organizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesRelated:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Related:Organizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesRelated:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Related:Splunk Enterprise Update Patches Code Execution VulnerabilityRelated:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Related:Cisco Patches Critical Vulnerabilities in Webex, ISERelated:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Related:Two Vulnerabilities Patched in Ivanti Neurons for ITSM

Ionut Arghire is an international correspondent for SecurityWeek.

Source: SecurityWeek