CVE-2023-42225

CVE-2023-42225 is a directory traversal vulnerability affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. The flaw resides in the Attachment/DownloadTempFile function, which allows attackers to access files outside the intended directory by manipulating input parameters, as classified under CWE-22. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impacts.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted requests to the vulnerable function, they can traverse directories and retrieve arbitrary files from the server, potentially exposing sensitive information such as configuration files, user data, or system details.

The primary reference for this CVE is a listing in a GitLab repository at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md, which documents the issue but does not provide specific details on patches or mitigation steps in the available information. Security practitioners should verify the vendor for updates beyond version 11.0.33 and implement input validation or restrict access to the affected endpoint as interim measures.