Vulnerabilities > Sysaid
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-11 | CVE-2022-40325 | Cross-site Scripting vulnerability in Sysaid Help Desk SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262. | 6.1 |
| 2022-06-24 | CVE-2022-23170 | XXE vulnerability in Sysaid Okta SSO 22.1.49/22.1.63 SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. | 9.8 |
| 2022-05-12 | CVE-2022-22796 | Improper Authentication vulnerability in Sysaid Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication. | 9.8 |
| 2022-05-12 | CVE-2022-22797 | Open Redirect vulnerability in Sysaid 21.1.30/21.1.50/21.4.45 Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter "redirectURL" from"GET" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. | 6.1 |
| 2022-05-12 | CVE-2022-22798 | Unspecified vulnerability in Sysaid 21.1.30/21.4.45 Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp after that he will receive an error message with a login button, by clicking on it, he will connect to the system dashboard. | 8.8 |
| 2022-05-12 | CVE-2022-23165 | Cross-site Scripting vulnerability in Sysaid Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. | 6.1 |
| 2022-05-12 | CVE-2022-23166 | Path Traversal vulnerability in Sysaid Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. | 9.8 |
| 2022-01-11 | CVE-2021-43971 | SQL Injection vulnerability in Sysaid 20.4.74 A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter. | 8.8 |
| 2022-01-11 | CVE-2021-43972 | Unspecified vulnerability in Sysaid 20.4.74 An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body. | 6.5 |
| 2022-01-11 | CVE-2021-43973 | Unrestricted Upload of File with Dangerous Type vulnerability in Sysaid 20.4.74 An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. | 8.8 |