Vulnerability-Lookup

CNVD-2025-22662

Vulnerability from cnvd - Published: 2025-09-26

Title

Selesta Visual Access Manager存在未明漏洞（CNVD-2025-22662）

Description

Selesta Visual Access Manager是Selesta公司的一个可视访问管理器。 Selesta Visual Access Manager存在安全漏洞，攻击者可利用此漏洞通过POST HTTP请求拦截来修改和接收与ID相关的computer POST参数。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.gruppotim.it/it/footer/red-team.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-50811

Impacted products

Name
Selesta Selesta Visual Access Manager 4.38.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-50811",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-50811"
    }
  },
  "description": "Selesta Visual Access Manager\u662fSelesta\u516c\u53f8\u7684\u4e00\u4e2a\u53ef\u89c6\u8bbf\u95ee\u7ba1\u7406\u5668\u3002\n\nSelesta Visual Access Manager\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7POST HTTP\u8bf7\u6c42\u62e6\u622a\u6765\u4fee\u6539\u548c\u63a5\u6536\u4e0eID\u76f8\u5173\u7684computer POST\u53c2\u6570\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.gruppotim.it/it/footer/red-team.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-22662",
  "openTime": "2025-09-26",
  "products": {
    "product": "Selesta Selesta Visual Access Manager 4.38.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-50811",
  "serverity": "\u4e2d",
  "submitTime": "2024-03-21",
  "title": "Selesta Visual Access Manager\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2025-22662\uff09"
}

CVE-2023-50811 (GCVE-0-2023-50811)

Vulnerability from cvelistv5 – Published: 2024-03-19 00:00 – Updated: 2025-03-27 16:03

Summary

An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

Assigner

mitre

References

URL

Tags

https://www.gruppotim.it/it/footer/red-team.html

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:23:43.566Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.gruppotim.it/it/footer/red-team.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-50811",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-06T14:24:25.540850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-444",
                "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T16:03:30.496Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the \u201ccomputer\u201d POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-19T21:33:15.049Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.gruppotim.it/it/footer/red-team.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-50811",
    "datePublished": "2024-03-19T00:00:00.000Z",
    "dateReserved": "2023-12-14T00:00:00.000Z",
    "dateUpdated": "2025-03-27T16:03:30.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-22662

CVE-2023-50811 (GCVE-0-2023-50811)

Tags

Sightings

Nomenclature