Vulnerabilities > CVE-2015-3001 - Credentials Management vulnerability in Sysaid
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
SysAid Help Desk before 15.2 uses a hardcoded password of Password1 for the sa SQL Server Express user account, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | SysAid Help Desk 14.4 - Multiple Vulnerabilities. CVE-2015-2993,CVE-2015-2994,CVE-2015-2995,CVE-2015-2996,CVE-2015-2997,CVE-2015-2998,CVE-2015-2999,CVE-2015-... |
| id | EDB-ID:43885 |
| last seen | 2018-01-25 |
| modified | 2015-06-10 |
| published | 2015-06-10 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/43885/ |
| title | SysAid Help Desk 14.4 - Multiple Vulnerabilities |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/132138/sysaidhelpdesk-execdos.txt |
| id | PACKETSTORM:132138 |
| last seen | 2016-12-05 |
| published | 2015-06-03 |
| reporter | Pedro Ribeiro |
| source | https://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html |
| title | SysAid Help Desk 14.4 Code Execution / Denial Of Service / Traversal / SQL Injection |
References
- http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Jun/8
- http://www.securityfocus.com/archive/1/535679/100/0/threaded
- http://www.securityfocus.com/bid/75035
- https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk