Vulnerabilities > Sysaid

DATE CVE VULNERABILITY TITLE RISK
2022-06-24 CVE-2022-23170 XXE vulnerability in Sysaid Okta SSO
SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability.
network
sysaid CWE-611
6.8
2022-05-12 CVE-2022-22796 Improper Authentication vulnerability in Sysaid
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
network
low complexity
sysaid CWE-287
critical
10.0
2022-05-12 CVE-2022-22797 Open Redirect vulnerability in Sysaid
Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter "redirectURL" from"GET" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com.
network
sysaid CWE-601
5.8
2022-05-12 CVE-2022-22798 Incorrect Authorization vulnerability in Sysaid
Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp after that he will receive an error message with a login button, by clicking on it, he will connect to the system dashboard.
network
low complexity
sysaid CWE-863
critical
9.0
2022-05-12 CVE-2022-23165 Cross-site Scripting vulnerability in Sysaid
Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability.
network
sysaid CWE-79
4.3
2022-05-12 CVE-2022-23166 Path Traversal vulnerability in Sysaid
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path.
network
low complexity
sysaid CWE-22
critical
10.0
2022-01-11 CVE-2021-43971 SQL Injection vulnerability in Sysaid 20.4.74
A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter.
network
low complexity
sysaid CWE-89
6.5
2022-01-11 CVE-2021-43972 Unspecified vulnerability in Sysaid 20.4.74
An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body.
network
low complexity
sysaid
6.8
2022-01-11 CVE-2021-43973 Unrestricted Upload of File with Dangerous Type vulnerability in Sysaid 20.4.74
An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body.
network
low complexity
sysaid CWE-434
6.5
2022-01-11 CVE-2021-43974 Missing Authentication for Critical Function vulnerability in Sysaid Itil 20.4.74
An issue was discovered in SysAid ITIL 20.4.74 b10.
network
low complexity
sysaid CWE-306
5.0