CVE-2023-42228

High

Published: 13 January 2025

Published

13 January 2025

Modified

17 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 31.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can edit their own ACL rules by sending a request to the "AclList/SaveAclRules" administrative function.

Security Summary

CVE-2023-42228 is an Incorrect Access Control vulnerability (CWE-281) affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. Low-privileged users can edit their own Access Control List (ACL) rules by sending a request directly to the administrative function "AclList/SaveAclRules," bypassing intended restrictions on such operations.

The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. This allows attackers to modify ACL rules for their accounts, potentially enabling unauthorized access escalations or other privilege abuses within the HelpdeskAdvanced system.

The primary reference is a GitLab repository at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md documenting the CVE, with no specific mitigation or patch details provided in the available information. The CVE was published on 2025-01-13.

Details

CWE(s): CWE-281

Affected Products

zucchetti

helpdeskadvanced

≤ 11.0.33

References

https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md
Third Party Advisory · cve@mitre.org