CVE-2023-42247
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the Visual Access Manager web interface via the monitor/s_monitor_map.php endpoint. When exploited, these scripts execute in the context of other users' browsers, potentially stealing session cookies or performing unauthorized actions. Organizations running Selesta Visual Access Manager versions below 4.42.2 are affected.
💻 Affected Systems
- Selesta Visual Access Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the Visual Access Manager system, and potentially pivot to other systems in the network.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access sensitive information, or modify access control settings within the Visual Access Manager.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
XSS vulnerabilities typically require user interaction (victim visiting a crafted link) but are straightforward to exploit once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.42.2
Vendor Advisory: https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md
Restart Required: Yes
Instructions:
1. Download Visual Access Manager version 4.42.2 or later from the official vendor portal. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the Visual Access Manager service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize user input in the monitor/s_monitor_map.php endpoint
Requires custom PHP code modification: filter_input(INPUT_GET, 'parameter', FILTER_SANITIZE_STRING);
Web Application Firewall
allDeploy a WAF with XSS protection rules to filter malicious requests
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Restrict access to the Visual Access Manager interface to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check the Visual Access Manager version via the web interface admin panel or configuration files. If version is below 4.42.2, the system is vulnerable.Check Version:
Check the web interface admin panel or examine configuration files for version informationVerify Fix Applied:
After patching, verify the version shows 4.42.2 or higher. Test the monitor/s_monitor_map.php endpoint with safe XSS payloads to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to monitor/s_monitor_map.php with script tags or JavaScript code in parameters
- Multiple failed login attempts following suspicious URL accesses
Network Indicators:
- HTTP requests containing <script>, javascript:, or other XSS payload patterns in URL parameters
SIEM Query:
source="web_server_logs" AND uri="*monitor/s_monitor_map.php*" AND (param="*<script>*" OR param="*javascript:*")