Sysaid

Sysaid

30 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2022-23165

  • EPSS 0.15%
  • Veröffentlicht 12.05.2022 20:15:15
  • Zuletzt bearbeitet 21.11.2024 06:48:06

Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vuln...

9

CVE-2022-22798

  • EPSS 0.11%
  • Veröffentlicht 12.05.2022 20:15:14
  • Zuletzt bearbeitet 21.11.2024 06:47:28

Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to chang...

6.1

CVE-2022-22797

  • EPSS 0.17%
  • Veröffentlicht 12.05.2022 20:15:14
  • Zuletzt bearbeitet 21.11.2024 06:47:28

Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter "redirectURL" from"GET" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. Unvalidated redirects and forwards are possible...

10

CVE-2022-22796

  • EPSS 0.23%
  • Veröffentlicht 12.05.2022 20:15:14
  • Zuletzt bearbeitet 21.11.2024 06:47:28

Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.

8.8

CVE-2021-43973

  • EPSS 0.83%
  • Veröffentlicht 11.01.2022 20:15:07
  • Zuletzt bearbeitet 21.11.2024 06:30:06

An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, serv...

6.8

CVE-2021-43972

  • EPSS 0.23%
  • Veröffentlicht 11.01.2022 20:15:07
  • Zuletzt bearbeitet 21.11.2024 06:30:06

An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile a...

8.8

CVE-2021-43971

Exploit
  • EPSS 0.58%
  • Veröffentlicht 11.01.2022 20:15:07
  • Zuletzt bearbeitet 21.11.2024 06:30:06

A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter.

6.1

CVE-2021-31862

Exploit
  • EPSS 41.3%
  • Veröffentlicht 29.10.2021 11:15:08
  • Zuletzt bearbeitet 21.11.2024 06:06:22

SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.

8.8

CVE-2021-30486

Exploit
  • EPSS 0.26%
  • Veröffentlicht 22.07.2021 12:15:07
  • Zuletzt bearbeitet 21.11.2024 06:04:01

SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1).

6.1

CVE-2021-30049

Exploit
  • EPSS 5.9%
  • Veröffentlicht 22.07.2021 12:15:07
  • Zuletzt bearbeitet 21.11.2024 06:03:15

SysAid 20.3.64 b14 is affected by Cross Site Scripting (XSS) via a /KeepAlive.jsp?stamp= URI.