CVE-2023-43743

A SQL injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the /newapi/ endpoint in the Zultys MX web interface.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
zultysmx-se_firmware
𝑥
< 16.0.4
zultysmx-se_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx-se_ii_firmware
𝑥
< 16.0.4
zultysmx-se_ii_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx-e_firmware
𝑥
< 16.0.4
zultysmx-e_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx-virtual_firmware
𝑥
< 16.0.4
zultysmx-virtual_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx250_firmware
𝑥
< 16.0.4
zultysmx250_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx30_firmware
𝑥
< 16.0.4
zultysmx30_firmware
17.0.6 ≤
𝑥
< 17.0.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md
https://mxvirtual.com
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md
https://mxvirtual.com