CVE-2023-42245
📋 TL;DR
CVE-2023-42245 is a cross-site scripting vulnerability in Selesta Visual Access Manager that allows attackers to inject malicious scripts into web pages viewed by other users. This affects all users of Visual Access Manager versions below 4.42.2 who access the vulnerable monitor/s_scheduledfile.php endpoint.
💻 Affected Systems
- Selesta Visual Access Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or install malware via drive-by downloads.
Likely Case
Session hijacking leading to unauthorized access, credential theft, or defacement of the application interface.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited and require user interaction (victim must visit malicious page).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.42.2
Vendor Advisory: https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md
Restart Required: Yes
Instructions:
1. Download Visual Access Manager version 4.42.2 or later from official vendor sources. 2. Backup current installation and configuration. 3. Apply the update following vendor documentation. 4. Restart the Visual Access Manager service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize user input before processing.
Implement input validation in monitor/s_scheduledfile.php to filter script tags and special characters
Output Encoding
allApply proper output encoding when displaying user-controlled data.
Use HTML entity encoding for all user-supplied data in the affected endpoint
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable or restrict access to the monitor/s_scheduledfile.php endpoint if not required
🔍 How to Verify
Check if Vulnerable:
Check if Visual Access Manager version is below 4.42.2 and test the monitor/s_scheduledfile.php endpoint with XSS payloads.Check Version:
Check the Visual Access Manager administration interface or configuration files for version information.Verify Fix Applied:
Verify version is 4.42.2 or higher and test that XSS payloads no longer execute in the affected endpoint.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to monitor/s_scheduledfile.php with script tags or JavaScript code
- Multiple failed login attempts followed by XSS payload requests
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in parameters
- Unusual outbound connections from user browsers after visiting the vulnerable page
SIEM Query:
source="web_server_logs" AND (uri="/monitor/s_scheduledfile.php" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:"))