CVE-2023-42244
Published: 13 January 2025
Summary
CVE-2023-42244 is a high-severity SQL Injection (CWE-89) vulnerability in Seling Visual Access Manager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-42244 is a SQL injection vulnerability (CWE-89) discovered in Selesta Visual Access Manager (VAM) versions prior to 4.42.2. The flaw exists in multiple POST parameters of the /vam/vam_visits.php endpoint, allowing improper handling of user-supplied input that leads to injectable SQL queries.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact confidentiality, integrity, and availability effects (CVSS 8.8), potentially enabling data exfiltration, modification, or deletion within the application's database.
The vulnerability was published on 2025-01-13, with a reference in a CVE list at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md. Mitigation involves updating to Selesta VAM version 4.42.2 or later, as the issue affects prior releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46703
Vulnerability details
An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can perform SQL Injection in multiple POST parameters of /vam/vam_visits.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web endpoint directly enables remote exploitation of public-facing app (T1190) and unauthorized access/modification of database contents (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of user-supplied inputs in vulnerable POST parameters before database queries.
Addresses the specific flaw in Selesta VAM prior to 4.42.2 by mandating timely flaw remediation through vendor patching.
Provides an additional layer of defense via boundary protection mechanisms like web application firewalls to filter malicious SQL payloads in network traffic.