Vulnerabilities > Sysaid

DATE CVE VULNERABILITY TITLE RISK
2022-01-11 CVE-2021-43971 SQL Injection vulnerability in Sysaid 20.4.74
A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter.
network
low complexity
sysaid CWE-89
6.5
2022-01-11 CVE-2021-43972 Unspecified vulnerability in Sysaid 20.4.74
An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body.
network
low complexity
sysaid
6.8
2022-01-11 CVE-2021-43973 Unrestricted Upload of File with Dangerous Type vulnerability in Sysaid 20.4.74
An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body.
network
low complexity
sysaid CWE-434
6.5
2022-01-11 CVE-2021-43974 Incorrect Authorization vulnerability in Sysaid Itil 20.4.74
An issue was discovered in SysAid ITIL 20.4.74 b10.
network
low complexity
sysaid CWE-863
5.0
2021-12-14 CVE-2021-36721 Improper Authentication vulnerability in Sysaid Application Programming Interface
Sysaid API User Enumeration - Attacker sending requests to specific api path without any authorization before 21.3.60 version could get users names from the LDAP server.
network
low complexity
sysaid CWE-287
5.0
2021-10-29 CVE-2021-31862 Cross-site Scripting vulnerability in Sysaid 20.4.74
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.
network
sysaid CWE-79
4.3
2021-07-22 CVE-2021-30049 Cross-site Scripting vulnerability in Sysaid 20.3.64
SysAid 20.3.64 b14 is affected by Cross Site Scripting (XSS) via a /KeepAlive.jsp?stamp= URI.
network
sysaid CWE-79
4.3
2021-07-22 CVE-2021-30486 SQL Injection vulnerability in Sysaid 20.3.64
SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1).
network
low complexity
sysaid CWE-89
6.5
2020-10-02 CVE-2020-13168 Cross-site Scripting vulnerability in Sysaid On-Premises and Sysaidsy On-Premises
SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter.
network
sysaid CWE-79
4.3
2020-04-21 CVE-2020-10569 Unrestricted Upload of File with Dangerous Type vulnerability in Sysaid On-Premise 20.1.11
** DISPUTED ** SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack.
network
low complexity
sysaid CWE-434
critical
10.0