Vulnerabilities > CVE-2015-2994 - Multiple Security vulnerability in SysAid
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/user_photo/. <a href="http://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a>
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
id EDB-ID:41691 last seen 2018-11-30 modified 2015-06-03 published 2015-06-03 reporter Exploit-DB source https://www.exploit-db.com/download/41691 title SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit) description SysAid Help Desk 14.4 - Multiple Vulnerabilities. CVE-2015-2993,CVE-2015-2994,CVE-2015-2995,CVE-2015-2996,CVE-2015-2997,CVE-2015-2998,CVE-2015-2999,CVE-2015-... id EDB-ID:43885 last seen 2018-01-25 modified 2015-06-10 published 2015-06-10 reporter Exploit-DB source https://www.exploit-db.com/download/43885/ title SysAid Help Desk 14.4 - Multiple Vulnerabilities
Metasploit
| description | This module exploits a file upload vulnerability in SysAid Help Desk. The vulnerability exists in the ChangePhoto.jsp in the administrator portal, which does not correctly handle directory traversal sequences and does not enforce file extension restrictions. While an attacker needs an administrator account in order to leverage this vulnerability, there is a related Metasploit auxiliary module which can create this account under some circumstances. This module has been tested in SysAid v14.4 in both Linux and Windows. |
| id | MSF:EXPLOIT/MULTI/HTTP/SYSAID_AUTH_FILE_UPLOAD |
| last seen | 2020-06-06 |
| modified | 2018-09-15 |
| published | 2015-06-03 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/sysaid_auth_file_upload.rb |
| title | SysAid Help Desk Administrator Portal Arbitrary File Upload |
Packetstorm
data source https://packetstormsecurity.com/files/download/132737/sysaid_auth_file_upload.rb.txt id PACKETSTORM:132737 last seen 2016-12-05 published 2015-07-17 reporter Pedro Ribeiro source https://packetstormsecurity.com/files/132737/SysAid-Help-Desk-Administrator-Portal-Arbitrary-File-Upload.html title SysAid Help Desk Administrator Portal Arbitrary File Upload data source https://packetstormsecurity.com/files/download/132138/sysaidhelpdesk-execdos.txt id PACKETSTORM:132138 last seen 2016-12-05 published 2015-06-03 reporter Pedro Ribeiro source https://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html title SysAid Help Desk 14.4 Code Execution / Denial Of Service / Traversal / SQL Injection
References
- http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Jun/8
- http://www.securityfocus.com/archive/1/535679/100/0/threaded
- http://www.securityfocus.com/bid/75038
- https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk