CVE-2023-42034 - Vulnerability Details - OpenCVE

Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Visualware	Myconnection Server

Configuration 1 [-]

cpe:2.3:a:visualware:myconnection_server:11.3c:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://myconnectionserver.visualware.com/support/security-advisories
https://www.zerodayinitiative.com/advisories/ZDI-23-1399/

History

Fri, 08 Aug 2025 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:visualware:myconnection_server:11.3c:::::::*

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2024-05-03T02:12:22.307Z

Updated: 2024-08-02T19:16:49.605Z

Reserved: 2023-09-06T21:13:00.541Z

Link: CVE-2023-42034

Vulnrichment

Updated: 2024-08-02T19:16:49.605Z

NVD

Status : Analyzed

Published: 2024-05-03T03:15:36.233

Modified: 2025-08-08T18:51:13.450

Link: CVE-2023-42034

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42034", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2023-09-06T21:13:00.541Z", "datePublished": "2024-05-03T02:12:22.307Z", "dateUpdated": "2024-08-02T19:16:49.605Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-03T02:12:22.307Z"}, "title": "Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability", "descriptions": [{"lang": "en", "value": "Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613."}], "affected": [{"vendor": "Visualware", "product": "MyConnection Server", "versions": [{"version": "11.3c", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/", "name": "ZDI-23-1399", "tags": ["x_research-advisory"]}, {"url": "https://myconnectionserver.visualware.com/support/security-advisories", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2023-09-06T16:25:44.994-05:00", "datePublic": "2023-09-08T11:32:34.736-05:00", "source": {"lang": "en", "value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-29T16:29:03.790441Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:visualware:myconnection_server:*:*:*:*:*:*:*:*"], "vendor": "visualware", "product": "myconnection_server", "versions": [{"status": "affected", "version": "11.3c"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:25:37.203Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:16:49.605Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/", "name": "ZDI-23-1399", "tags": ["x_research-advisory", "x_transferred"]}, {"url": "https://myconnectionserver.visualware.com/support/security-advisories", "name": "vendor-provided URL", "tags": ["vendor-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/", "name": "ZDI-23-1399", "tags": ["x_research-advisory", "x_transferred"]}, {"url": "https://myconnectionserver.visualware.com/support/security-advisories", "name": "vendor-provided URL", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:16:49.605Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-29T16:29:03.790441Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:visualware:myconnection_server:*:*:*:*:*:*:*:*"], "vendor": "visualware", "product": "myconnection_server", "versions": [{"status": "affected", "version": "11.3c"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T16:18:14.509Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability", "source": {"lang": "en", "value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Visualware", "product": "MyConnection Server", "versions": [{"status": "affected", "version": "11.3c"}], "defaultStatus": "unknown"}], "datePublic": "2023-09-08T11:32:34.736-05:00", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/", "name": "ZDI-23-1399", "tags": ["x_research-advisory"]}, {"url": "https://myconnectionserver.visualware.com/support/security-advisories", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2023-09-06T16:25:44.994-05:00", "descriptions": [{"lang": "en", "value": "Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-03T02:12:22.307Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42034", "state": "PUBLISHED", "dateUpdated": "2024-08-02T19:16:49.605Z", "dateReserved": "2023-09-06T21:13:00.541Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2024-05-03T02:12:22.307Z", "assignerShortName": "zdi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:visualware:myconnection_server:11.3c:*:*:*:*:*:*:*", "matchCriteriaId": "7FFCB048-D49E-49D6-9BE4-7C223704E144", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n de Cross-Site Scripting de Visualware MyConnection Server doRTAAccessCTConfig. Esta vulnerabilidad permite a atacantes remotos eludir la autenticaci\u00f3n en las instalaciones afectadas de Visualware MyConnection Server. Se requiere una interacci\u00f3n m\u00ednima del usuario para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del m\u00e9todo doRTAAccessCTConfig. El problema se debe a la falta de validaci\u00f3n adecuada de los datos proporcionados por el usuario, lo que puede llevar a la inyecci\u00f3n de un script arbitrario. Un atacante puede aprovechar esta vulnerabilidad para eludir la autenticaci\u00f3n en el sistema. Era ZDI-CAN-21613."}], "id": "CVE-2023-42034", "lastModified": "2025-08-08T18:51:13.450", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2024-05-03T03:15:36.233", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Vendor Advisory"], "url": "https://myconnectionserver.visualware.com/support/security-advisories"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://myconnectionserver.visualware.com/support/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1399/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}