CVE-2023-42243
📋 TL;DR
This vulnerability allows authenticated users in Selesta Visual Access Manager to access an administrative SQL interface (/common/vam_Sql.php) and execute arbitrary SQL queries. This affects all versions before 4.42.2 where the vulnerable endpoint is accessible.
💻 Affected Systems
- Selesta Visual Access Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could execute arbitrary SQL commands leading to data exfiltration, data manipulation, privilege escalation, or complete database compromise.
Likely Case
Authenticated users could read sensitive data from the database, modify user permissions, or extract credentials.
If Mitigated
With proper access controls and network segmentation, impact would be limited to authorized users within the application's intended scope.
🎯 Exploit Status
Exploitation requires authenticated access but the SQL injection appears straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.42.2
Vendor Advisory: https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md
Restart Required: Yes
Instructions:
1. Download Visual Access Manager version 4.42.2 or later from the vendor. 2. Backup current installation and database. 3. Install the updated version following vendor instructions. 4. Restart the Visual Access Manager service.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allRestrict access to /common/vam_Sql.php using web server configuration or firewall rules
# Apache: <Location "/common/vam_Sql.php"> Require all denied </Location>
# Nginx: location /common/vam_Sql.php { deny all; }
Implement WAF rules
allDeploy web application firewall rules to block SQL injection patterns targeting this endpoint
# Example ModSecurity rule: SecRule REQUEST_URI "@contains /common/vam_Sql.php" "id:1001,phase:1,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to the Visual Access Manager interface to only authorized users
- Enable detailed SQL query logging and monitor for unusual database activity patterns
🔍 How to Verify
Check if Vulnerable:
Check if authenticated access to https://[hostname]/common/vam_Sql.php returns an SQL interface. Verify version is below 4.42.2.Check Version:
Check the application interface or configuration files for version information. Typically found in admin panel or /about pages.Verify Fix Applied:
After patching, verify that accessing /common/vam_Sql.php returns an error or is inaccessible. Confirm version is 4.42.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple requests to /common/vam_Sql.php from single users
- Database error messages containing SQL syntax
Network Indicators:
- HTTP POST/GET requests to /common/vam_Sql.php with SQL parameters
- Unusual database connection patterns from application server
SIEM Query:
source="web_logs" AND uri="/common/vam_Sql.php" AND (method="POST" OR method="GET")