CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-31862
https://notcve.org/view.php?id=CVE-2021-31862
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication. SysAid versión 20.4.74, permite un ataque de tipo XSS por medio del parámetro de sello KeepAlive.jsp sin ninguna autenticación • https://github.com/RobertDra/CVE-2021-31862 https://github.com/RobertDra/CVE-2021-31862/blob/main/README.md https://www.sysaid.com/product/on-premise/latest-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30486
https://notcve.org/view.php?id=CVE-2021-30486
SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1). SysAid versión 20.3.64 b14, está afectado por una inyección SQL de Blind y Stacker por medio de los archivos AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID o group1), o AssetManagementSummary.jsp (GET group1) • https://eh337.net/2021/04/10/sysaid-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30049
https://notcve.org/view.php?id=CVE-2021-30049
SysAid 20.3.64 b14 is affected by Cross Site Scripting (XSS) via a /KeepAlive.jsp?stamp= URI. SysAid versión 20.3.64 b14, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de un URI /KeepAlive.jsp?stamp= • https://eh337.net/2021/03/30/sysaid • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 38EXPL: 1CVE-2020-13168
https://notcve.org/view.php?id=CVE-2020-13168
SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter. SysAid versión 20.1.11b26, permite un ataque de tipo XSS reflejado por medio del parámetro accountid del archivo ForgotPassword.jsp • https://github.com/lodestone-security/CVEs/tree/master/CVE-2020-13168 https://www.sysaid.com/product/on-premise/latest-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 81%CPEs: 1EXPL: 3CVE-2015-2993 – SysAid Help Desk 14.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-2993
SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry. SysAid Help Desk anterior a 15.2 no restringe correctamente el acceso a cierta funcionalidad, lo que permite a atacantes remotos (1) crear cuentas de administradores a través de una solicitud manipulada a /createnewaccount o (2) escribir en ficheros arbitrarios a través del parámetro fileName en /userentry. SysAid Help Desk version 14.4 suffers from code execution, denial of service, path disclosure, remote file upload, remote SQL injection, directory traversal, file download, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43885 http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Jun/8 http://www.securityfocus.com/archive/1/535679/100/0/threaded http://www.securityfocus.com/bid/75038 https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk • CWE-264: Permissions, Privileges, and Access Controls •