CVE-2023-43743

2023-12-0800:00:00

mitre

www.cve.org

sql injection

zultys mx

firmware

authenticated attacker

arbitrary sql queries

backend database

filter parameter

newapi endpoint

web interface

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

A SQL injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the /newapi/ endpoint in the Zultys MX web interface.

References

github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md

mxvirtual.com