Cyber Resilience

CVE-2023-42232

High

Published: 13 January 2025

Published
13 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0087 75.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42232 is a high-severity Path Traversal (CWE-22) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-42232 is a directory traversal vulnerability affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. The flaw exists in the Navigator/Index function, allowing attackers to access files outside the intended directory structure. It has a CVSS v3.1 base score of 7.5, rated as high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges needed. Successful exploitation enables reading arbitrary files on the server, potentially exposing sensitive information such as configuration files, user data, or system details, though it does not impact integrity or availability.

Advisories reference a CVE list entry at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md, which documents the issue but provides no specific patch or mitigation details in the available information.

EU & UK References

Vulnerability details

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Navigator/Index function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Directory traversal in unauthenticated public-facing web app directly enables remote exploitation (T1190) and arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-42226Same product: Zucchetti Helpdeskadvanced
CVE-2023-42227Same product: Zucchetti Helpdeskadvanced
CVE-2023-42225Same product: Zucchetti Helpdeskadvanced
CVE-2023-42231Same product: Zucchetti Helpdeskadvanced
CVE-2023-42228Same product: Zucchetti Helpdeskadvanced
CVE-2025-12824Shared CWE-22
CVE-2026-49136Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22

Affected Assets

zucchetti
helpdeskadvanced
≤ 11.0.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the directory traversal vulnerability in HelpdeskAdvanced Navigator/Index function by identifying, testing, and installing patches or updates.

prevent

Validates inputs to the Navigator/Index function to block directory traversal sequences like '../', preventing unauthorized file access.

prevent

Implements boundary protection such as web application firewalls to monitor and block network-based directory traversal attempts targeting the vulnerable endpoint.

References