CVE-2023-42231
Published: 13 January 2025
Summary
CVE-2023-42231 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2023-42231 is an Incorrect Access Control vulnerability (CWE-281) affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. The issue allows low-privileged users to delete administrator accounts by sending a specially crafted request to the "WSCView/Delete" function. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.
A low-privileged user with valid credentials can exploit this vulnerability remotely without user interaction. By targeting the "WSCView/Delete" endpoint, the attacker can delete admin users, potentially leading to denial of service for administrative functions and unauthorized disruption of access controls.
The primary reference for advisories is available at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md. Specific details on patches or mitigations are not outlined in the provided CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46690
Vulnerability details
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can delete admin users by sending a request to the "WSCView/Delete" function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in web app (helpdesk) allows remote unauthorized account deletion via crafted request, directly enabling public-facing app exploitation and resulting account access removal.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations, directly preventing low-privileged users from accessing the WSCView/Delete function to remove admin accounts.
AC-6 enforces least privilege, ensuring low-privileged users lack the permissions needed to delete administrator accounts via the vulnerable endpoint.
AC-2 requires managed account lifecycle processes that authorize only appropriate roles for deletions, mitigating unauthorized admin account removal.