Zultys MX-SE/MX-SE II/MX-E/MX-Virtual/MX250/MX30 prior 16.04 Patch 16109/17.0.10 Patch 17161 Web Interface /newapi/ filter sql injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250 and MX30. Affected by this vulnerability is an unknown functionality of the file /newapi/ of the component Web Interface. The manipulation of the argument filter results in sql injection. This vulnerability is identified as CVE-2023-43743. There is not any exploit available. The affected component should be upgraded.
Details
A vulnerability was found in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250 and MX30. It has been classified as critical. Affected is an unknown part of the file /newapi/ of the component Web Interface. The manipulation of the argument filter with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
A SQL injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the /newapi/ endpoint in the Zultys MX web interface.
The weakness was released 12/08/2023 as ATREDIS-2023-0002. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2023-43743 since 09/22/2023. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1505.
Upgrading to version 16.04 Patch 16109 or 17.0.10 Patch 17161 eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.1VulDB Meta Temp Score: 7.1
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Sql injectionCWE: CWE-89 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: MX-SE/MX-SE II/MX-E/MX-Virtual/MX250/MX30 16.04 Patch 16109/17.0.10 Patch 17161
Timeline
09/22/2023 🔍12/08/2023 🔍
12/08/2023 🔍
05/28/2025 🔍
Sources
Advisory: ATREDIS-2023-0002Status: Confirmed
CVE: CVE-2023-43743 (🔍)
GCVE (CVE): GCVE-0-2023-43743
GCVE (VulDB): GCVE-100-247236
Entry
Created: 12/08/2023 07:29Updated: 05/28/2025 04:18
Changes: 12/08/2023 07:29 (42), 12/31/2023 09:44 (11), 05/28/2025 04:18 (16)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.