Vulnerabilities > Sysaid > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-25 | CVE-2023-47247 | Unspecified vulnerability in Sysaid In SysAid On-Premise before 23.3.34, there is an edge case in which an end user is able to delete a Knowledge Base article, aka bug 15102. | 4.3 |
| 2023-11-24 | CVE-2023-33706 | Authorization Bypass Through User-Controlled Key vulnerability in Sysaid SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp. | 6.5 |
| 2023-07-30 | CVE-2023-32226 | Files or Directories Accessible to External Parties vulnerability in Sysaid On-Premises Sysaid - CWE-552: Files or Directories Accessible to External Parties - Authenticated users may exfiltrate files from the server via an unspecified method. | 6.5 |
| 2022-06-24 | CVE-2022-23170 | XXE vulnerability in Sysaid Okta SSO SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. | 6.8 |
| 2022-05-12 | CVE-2022-22797 | Open Redirect vulnerability in Sysaid Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter "redirectURL" from"GET" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. | 5.8 |
| 2022-05-12 | CVE-2022-23165 | Cross-site Scripting vulnerability in Sysaid Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. | 4.3 |
| 2022-01-11 | CVE-2021-43971 | SQL Injection vulnerability in Sysaid 20.4.74 A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter. | 6.5 |
| 2022-01-11 | CVE-2021-43972 | Unspecified vulnerability in Sysaid 20.4.74 An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body. | 6.8 |
| 2022-01-11 | CVE-2021-43973 | Unrestricted Upload of File with Dangerous Type vulnerability in Sysaid 20.4.74 An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. | 6.5 |
| 2022-01-11 | CVE-2021-43974 | Missing Authentication for Critical Function vulnerability in Sysaid Itil 20.4.74 An issue was discovered in SysAid ITIL 20.4.74 b10. | 5.0 |