A SQL injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the /newapi/ endpoint in the Zultys MX web interface.
References
Link | Resource |
---|---|
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md | Third Party Advisory |
https://mxvirtual.com | Product |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
History
13 Dec 2023, 15:38
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:h:zultys:mx-virtual:-:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-se:-:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-se_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx250:-:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-virtual_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx250_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-se_ii_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-e:-:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx-e_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zultys:mx30_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx-se_ii:-:*:*:*:*:*:*:* cpe:2.3:h:zultys:mx30:-:*:*:*:*:*:*:* |
|
References | () https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md - Third Party Advisory | |
References | () https://mxvirtual.com - Product | |
Summary |
|
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Zultys mx250
Zultys mx-se Ii Zultys mx-se Firmware Zultys mx-se Zultys mx-se Ii Firmware Zultys Zultys mx30 Zultys mx-e Zultys mx-e Firmware Zultys mx30 Firmware Zultys mx-virtual Firmware Zultys mx-virtual Zultys mx250 Firmware |
|
CWE | CWE-89 |
08 Dec 2023, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-08 01:15
Updated : 2023-12-13 15:38
NVD link : CVE-2023-43743
Mitre link : CVE-2023-43743
CVE.ORG link : CVE-2023-43743
JSON object : View
Products Affected
zultys
- mx-se_ii_firmware
- mx-e
- mx-virtual_firmware
- mx-se
- mx-se_firmware
- mx30_firmware
- mx-virtual
- mx250_firmware
- mx30
- mx-e_firmware
- mx250
- mx-se_ii
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')