Filtered by vendor Sysaid
Subscriptions
Total
37 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-43972 | 1 Sysaid | 1 Sysaid | 2024-08-04 | 6.5 Medium |
An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body. | ||||
CVE-2021-43973 | 1 Sysaid | 1 Sysaid | 2024-08-04 | 8.8 High |
An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, server-side filesystem path of the uploaded file. | ||||
CVE-2021-43974 | 1 Sysaid | 1 Itil | 2024-08-04 | 5.3 Medium |
An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg endpoint is used to register end users anonymously, but does not respect the server-side setting that determines if anonymous users are allowed to register new accounts. Configuring the server-side setting to disable anonymous user registration only hides the client-side registration form. An attacker can still post registration data to create new accounts without prior authentication. | ||||
CVE-2021-43971 | 1 Sysaid | 1 Sysaid | 2024-08-04 | 8.8 High |
A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter. | ||||
CVE-2021-31862 | 1 Sysaid | 1 Sysaid | 2024-08-03 | 6.1 Medium |
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication. | ||||
CVE-2021-30486 | 1 Sysaid | 1 Sysaid | 2024-08-03 | 8.8 High |
SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1). | ||||
CVE-2021-30049 | 1 Sysaid | 1 Sysaid | 2024-08-03 | 6.1 Medium |
SysAid 20.3.64 b14 is affected by Cross Site Scripting (XSS) via a /KeepAlive.jsp?stamp= URI. | ||||
CVE-2022-40325 | 1 Sysaid | 1 Help Desk | 2024-08-03 | 6.1 Medium |
SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262. | ||||
CVE-2022-40324 | 1 Sysaid | 1 Help Desk | 2024-08-03 | 6.1 Medium |
SysAid Help Desk before 22.1.65 allows XSS via the Linked SRs field, aka FR# 67258. | ||||
CVE-2022-40323 | 1 Sysaid | 1 Help Desk | 2024-08-03 | 6.1 Medium |
SysAid Help Desk before 22.1.65 allows XSS in the Password Services module, aka FR# 67241. | ||||
CVE-2022-40322 | 1 Sysaid | 1 Help Desk | 2024-08-03 | 6.1 Medium |
SysAid Help Desk before 22.1.65 allows XSS, aka FR# 66542 and 65579. | ||||
CVE-2023-47247 | 1 Sysaid | 1 Sysaid | 2024-08-02 | 4.3 Medium |
In SysAid On-Premise before 23.3.34, there is an edge case in which an end user is able to delete a Knowledge Base article, aka bug 15102. | ||||
CVE-2023-33706 | 1 Sysaid | 1 Sysaid | 2024-08-02 | 6.5 Medium |
SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp. | ||||
CVE-2023-32226 | 1 Sysaid | 1 Sysaid On-premises | 2024-08-02 | 8.3 High |
Sysaid - CWE-552: Files or Directories Accessible to External Parties - Authenticated users may exfiltrate files from the server via an unspecified method. | ||||
CVE-2023-32225 | 1 Sysaid | 1 Sysaid On-premises | 2024-08-02 | 9.8 Critical |
Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A malicious user with administrative privileges may be able to upload a dangerous filetype via an unspecified method. | ||||
CVE-2024-36394 | 1 Sysaid | 1 Sysaid | 2024-08-02 | 9.1 Critical |
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
CVE-2024-36393 | 1 Sysaid | 1 Sysaid | 2024-08-02 | 9.9 Critical |
SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |