Cyber Resilience

CVE-2023-42228

High

Published: 13 January 2025

Published
13 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 37.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42228 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2023-42228 is an Incorrect Access Control vulnerability (CWE-281) affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. Low-privileged users can edit their own Access Control List (ACL) rules by sending a request directly to the administrative function "AclList/SaveAclRules," bypassing intended restrictions on such operations.

The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. This allows attackers to modify ACL rules for their accounts, potentially enabling unauthorized access escalations or other privilege abuses within the HelpdeskAdvanced system.

The primary reference is a GitLab repository at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md documenting the CVE, with no specific mitigation or patch details provided in the available information. The CVE was published on 2025-01-13.

EU & UK References

Vulnerability details

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can edit their own ACL rules by sending a request to the "AclList/SaveAclRules" administrative function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct ACL bypass enables unauthorized privilege escalation by low-privileged users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-42231Same product: Zucchetti Helpdeskadvanced
CVE-2023-42226Same product: Zucchetti Helpdeskadvanced
CVE-2023-42232Same product: Zucchetti Helpdeskadvanced
CVE-2023-42227Same product: Zucchetti Helpdeskadvanced
CVE-2023-42225Same product: Zucchetti Helpdeskadvanced
CVE-2024-56192Shared CWE-281
CVE-2026-35385Shared CWE-281
CVE-2025-30456Shared CWE-281
CVE-2024-56191Shared CWE-281
CVE-2025-25711Shared CWE-281

Affected Assets

zucchetti
helpdeskadvanced
≤ 11.0.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access control policies to prevent low-privileged users from accessing and modifying administrative ACL functions like AclList/SaveAclRules.

prevent

Applies least privilege to restrict low-privileged users from performing unauthorized administrative actions on their own ACL rules.

prevent

Ensures access control decisions for administrative resources like ACL management are correctly authorized prior to enforcement.

References