Cyber Resilience

CVE-2023-42244

High

Published: 13 January 2025

Published
13 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 38.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42244 is a high-severity SQL Injection (CWE-89) vulnerability in Seling Visual Access Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-42244 is a SQL injection vulnerability (CWE-89) discovered in Selesta Visual Access Manager (VAM) versions prior to 4.42.2. The flaw exists in multiple POST parameters of the /vam/vam_visits.php endpoint, allowing improper handling of user-supplied input that leads to injectable SQL queries.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact confidentiality, integrity, and availability effects (CVSS 8.8), potentially enabling data exfiltration, modification, or deletion within the application's database.

The vulnerability was published on 2025-01-13, with a reference in a CVE list at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md. Mitigation involves updating to Selesta VAM version 4.42.2 or later, as the issue affects prior releases.

EU & UK References

Vulnerability details

An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can perform SQL Injection in multiple POST parameters of /vam/vam_visits.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in web endpoint directly enables remote exploitation of public-facing app (T1190) and unauthorized access/modification of database contents (T1213.006).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

seling
visual access manager
≤ 4.42.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation and sanitization of user-supplied inputs in vulnerable POST parameters before database queries.

prevent

Addresses the specific flaw in Selesta VAM prior to 4.42.2 by mandating timely flaw remediation through vendor patching.

prevent

Provides an additional layer of defense via boundary protection mechanisms like web application firewalls to filter malicious SQL payloads in network traffic.

References