A SQL injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the /newapi/ endpoint in the Zultys MX web interface.
References
Link | Resource |
---|---|
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md | Third Party Advisory |
https://mxvirtual.com | Product |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
History
13 Dec 2023, 15:38
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-89 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
References | () https://mxvirtual.com - Product | |
References | () https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md - Third Party Advisory | |
CPE | cpe:2.3:o:zultys:mx250_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-se_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-e:-:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-se:-:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-se_ii_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-se_ii:-:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx30_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-virtual_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx30:-:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx250:-:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-e_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-virtual:-:*:*:*:*:*:*:* |
|
First Time |
Zultys mx-virtual
Zultys mx-se Firmware Zultys mx250 Firmware Zultys mx-se Zultys mx30 Firmware Zultys mx-e Zultys Zultys mx-virtual Firmware Zultys mx-se Ii Firmware Zultys mx-e Firmware Zultys mx30 Zultys mx-se Ii Zultys mx250 |
08 Dec 2023, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-08 01:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-43743
Mitre link : CVE-2023-43743
CVE.ORG link : CVE-2023-43743
JSON object : View
Products Affected
zultys
- mx-se_firmware
- mx-e_firmware
- mx-virtual_firmware
- mx-e
- mx-se_ii_firmware
- mx30
- mx-se_ii
- mx250_firmware
- mx-virtual
- mx250
- mx30_firmware
- mx-se
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')