CVE-2023-43743

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 versions prior to 17.0.10 patch 17161 and 16.04 patch 16109

Description A SQL injection issue allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the "/newapi/" endpoint in the Zultys MX web interface.

Recommendations For versions prior to 17.0.10 patch 17161, update to version 17.0.10 patch 17161 or later. For versions prior to 16.04 patch 16109, update to version 16.04 patch 16109 or later. As a temporary workaround, consider restricting access to the "/newapi/" endpoint until a patch is available. Avoid using the filter parameter in requests to the "/newapi/" endpoint until the issue is resolved.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2023-43743

Affected Products

Mx-E

Mx-Se Ii

Mx-Virtual

Mx250

Mx30

Zultys Mx-Se

CVE-2023-43743

Weakness Enumeration

Related Identifiers

Affected Products

References · 8