Cyber Resilience

CVE-2023-42226

High

Published: 13 January 2025

Published
13 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0072 72.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42226 is a high-severity Path Traversal (CWE-22) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33 are affected by CVE-2023-42226, a directory traversal vulnerability (CWE-22) in the Email/SaveAttachment function. This flaw allows attackers to access files outside the intended directory by manipulating input parameters, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no authentication required.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction needed. Successful exploitation enables reading sensitive files on the server, potentially exposing configuration data, user information, or other arbitrary files, though it does not affect integrity or availability.

Advisories reference a CVE list at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md, but specific mitigation or patch details are not detailed in available information.

EU & UK References

Vulnerability details

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via Email/SaveAttachment function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Directory traversal in public-facing web app (Email/SaveAttachment) directly enables remote unauth file read (T1190 initial access + T1005 data from local system).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-42227Same product: Zucchetti Helpdeskadvanced
CVE-2023-42232Same product: Zucchetti Helpdeskadvanced
CVE-2023-42225Same product: Zucchetti Helpdeskadvanced
CVE-2023-42231Same product: Zucchetti Helpdeskadvanced
CVE-2023-42228Same product: Zucchetti Helpdeskadvanced
CVE-2025-12824Shared CWE-22
CVE-2026-49136Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22

Affected Assets

zucchetti
helpdeskadvanced
≤ 11.0.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the directory traversal flaw in the Email/SaveAttachment function of HelpdeskAdvanced <=11.0.33 through timely patching or code correction.

prevent

Validates manipulated input parameters to the SaveAttachment function to reject directory traversal sequences like '../' and prevent unauthorized file access.

prevent

Enforces logical access controls on system resources to restrict reading of sensitive files outside the intended attachment directory.

References