CVE-2023-42034

Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://myconnectionserver.visualware.com/support/security-advisories	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1399/	Third Party Advisory
https://myconnectionserver.visualware.com/support/security-advisories	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1399/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:visualware:myconnection_server:11.3c:*:*:*:*:*:*:*

History

08 Aug 2025, 18:51

Type	Values Removed	Values Added
CPE		cpe:2.3:a:visualware:myconnection_server:11.3c:::::::*
First Time		Visualware myconnection Server Visualware
References	~~() https://myconnectionserver.visualware.com/support/security-advisories -~~	() https://myconnectionserver.visualware.com/support/security-advisories - Vendor Advisory
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-23-1399/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-23-1399/ - Third Party Advisory

Information

Published : 2024-05-03 03:15

Updated : 2025-08-08 18:51

NVD link : CVE-2023-42034

Mitre link : CVE-2023-42034

CVE.ORG link : CVE-2023-42034

JSON object : View

Products Affected

visualware

myconnection_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-42034", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-05-03T03:15:36.233", "references": [{"url": "https://myconnectionserver.visualware.com/support/security-advisories", "tags": ["Vendor Advisory"], "source": "zdi-disclosures@trendmicro.com"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/", "tags": ["Third Party Advisory"], "source": "zdi-disclosures@trendmicro.com"}, {"url": "https://myconnectionserver.visualware.com/support/security-advisories", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n de Cross-Site Scripting de Visualware MyConnection Server doRTAAccessCTConfig. Esta vulnerabilidad permite a atacantes remotos eludir la autenticaci\u00f3n en las instalaciones afectadas de Visualware MyConnection Server. Se requiere una interacci\u00f3n m\u00ednima del usuario para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del m\u00e9todo doRTAAccessCTConfig. El problema se debe a la falta de validaci\u00f3n adecuada de los datos proporcionados por el usuario, lo que puede llevar a la inyecci\u00f3n de un script arbitrario. Un atacante puede aprovechar esta vulnerabilidad para eludir la autenticaci\u00f3n en el sistema. Era ZDI-CAN-21613."}], "lastModified": "2025-08-08T18:51:13.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:visualware:myconnection_server:11.3c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FFCB048-D49E-49D6-9BE4-7C223704E144"}], "operator": "OR"}]}], "sourceIdentifier": "zdi-disclosures@trendmicro.com"}