CVE-2023-42228
Published: 13 January 2025
Summary
CVE-2023-42228 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2023-42228 is an Incorrect Access Control vulnerability (CWE-281) affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. Low-privileged users can edit their own Access Control List (ACL) rules by sending a request directly to the administrative function "AclList/SaveAclRules," bypassing intended restrictions on such operations.
The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. This allows attackers to modify ACL rules for their accounts, potentially enabling unauthorized access escalations or other privilege abuses within the HelpdeskAdvanced system.
The primary reference is a GitLab repository at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md documenting the CVE, with no specific mitigation or patch details provided in the available information. The CVE was published on 2025-01-13.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46687
Vulnerability details
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can edit their own ACL rules by sending a request to the "AclList/SaveAclRules" administrative function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct ACL bypass enables unauthorized privilege escalation by low-privileged users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access control policies to prevent low-privileged users from accessing and modifying administrative ACL functions like AclList/SaveAclRules.
Applies least privilege to restrict low-privileged users from performing unauthorized administrative actions on their own ACL rules.
Ensures access control decisions for administrative resources like ACL management are correctly authorized prior to enforcement.