CVE-2023-42244

High

Published: 13 January 2025

Published

13 January 2025

Modified

17 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can perform SQL Injection in multiple POST parameters of /vam/vam_visits.php.

Security Summary

CVE-2023-42244 is a SQL injection vulnerability (CWE-89) discovered in Selesta Visual Access Manager (VAM) versions prior to 4.42.2. The flaw exists in multiple POST parameters of the /vam/vam_visits.php endpoint, allowing improper handling of user-supplied input that leads to injectable SQL queries.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact confidentiality, integrity, and availability effects (CVSS 8.8), potentially enabling data exfiltration, modification, or deletion within the application's database.

The vulnerability was published on 2025-01-13, with a reference in a CVE list at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md. Mitigation involves updating to Selesta VAM version 4.42.2 or later, as the issue affects prior releases.

Details

CWE(s): CWE-89

Affected Products

seling

visual access manager

≤ 4.42.2

References

https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md
Third Party Advisory · cve@mitre.org