CVE-2023-50811

An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.gruppotim.it/it/footer/red-team.html	Third Party Advisory
https://www.gruppotim.it/it/footer/red-team.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:seling:visual_access_manager:4.38.6:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-03-19 22:15

Updated : 2025-03-27 16:15

NVD link : CVE-2023-50811

Mitre link : CVE-2023-50811

CVE.ORG link : CVE-2023-50811

JSON object : View

Products Affected

seling

visual_access_manager

CWE

NVD-CWE-noinfo CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-863

Incorrect Authorization

{"id": "CVE-2023-50811", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-03-19T22:15:06.840", "references": [{"url": "https://www.gruppotim.it/it/footer/red-team.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.gruppotim.it/it/footer/red-team.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-444"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the \u201ccomputer\u201d POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one."}, {"lang": "es", "value": "Un problema descubierto en SELESTA Visual Access Manager 4.38.6 permite a los atacantes modificar el par\u00e1metro POST de la \"computadora\" relacionado con el ID de una recepci\u00f3n espec\u00edfica mediante la interceptaci\u00f3n de solicitudes POST HTTP. Iterando ese par\u00e1metro se ha podido acceder a la aplicaci\u00f3n y tomar el control de muchas otras recepciones adem\u00e1s de la asignada."}], "lastModified": "2025-03-27T16:15:20.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:seling:visual_access_manager:4.38.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CC951DF-0489-439E-B190-CA66648DCA5F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}