CVE-2023-42226
Published: 13 January 2025
Summary
CVE-2023-42226 is a high-severity Path Traversal (CWE-22) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33 are affected by CVE-2023-42226, a directory traversal vulnerability (CWE-22) in the Email/SaveAttachment function. This flaw allows attackers to access files outside the intended directory by manipulating input parameters, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no authentication required.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction needed. Successful exploitation enables reading sensitive files on the server, potentially exposing configuration data, user information, or other arbitrary files, though it does not affect integrity or availability.
Advisories reference a CVE list at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md, but specific mitigation or patch details are not detailed in available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46685
Vulnerability details
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via Email/SaveAttachment function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing web app (Email/SaveAttachment) directly enables remote unauth file read (T1190 initial access + T1005 data from local system).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the directory traversal flaw in the Email/SaveAttachment function of HelpdeskAdvanced <=11.0.33 through timely patching or code correction.
Validates manipulated input parameters to the SaveAttachment function to reject directory traversal sequences like '../' and prevent unauthorized file access.
Enforces logical access controls on system resources to restrict reading of sensitive files outside the intended attachment directory.