CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-31862
https://notcve.org/view.php?id=CVE-2021-31862
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication. SysAid versión 20.4.74, permite un ataque de tipo XSS por medio del parámetro de sello KeepAlive.jsp sin ninguna autenticación • https://github.com/RobertDra/CVE-2021-31862 https://github.com/RobertDra/CVE-2021-31862/blob/main/README.md https://www.sysaid.com/product/on-premise/latest-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30486
https://notcve.org/view.php?id=CVE-2021-30486
SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1). SysAid versión 20.3.64 b14, está afectado por una inyección SQL de Blind y Stacker por medio de los archivos AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID o group1), o AssetManagementSummary.jsp (GET group1) • https://eh337.net/2021/04/10/sysaid-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30049
https://notcve.org/view.php?id=CVE-2021-30049
SysAid 20.3.64 b14 is affected by Cross Site Scripting (XSS) via a /KeepAlive.jsp?stamp= URI. SysAid versión 20.3.64 b14, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de un URI /KeepAlive.jsp?stamp= • https://eh337.net/2021/03/30/sysaid • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 38EXPL: 1CVE-2020-13168
https://notcve.org/view.php?id=CVE-2020-13168
SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter. SysAid versión 20.1.11b26, permite un ataque de tipo XSS reflejado por medio del parámetro accountid del archivo ForgotPassword.jsp • https://github.com/lodestone-security/CVEs/tree/master/CVE-2020-13168 https://www.sysaid.com/product/on-premise/latest-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 87%CPEs: 1EXPL: 4CVE-2015-2994 – SysAid Help Desk 14.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-2994
Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/user_photo/. Vulnerabilidad de la subida de ficheros sin restricciones en ChangePhoto.jsp en SysAid Help Desk anterior a 15.2 permite a administradores remotos ejecutar código arbitrario mediante la subida de un fichero con una extensión .jsp, y posteriormente accediendo a ello a través de una solicitud directa al fichero en icons/user_photo/. SysAid Help Desk version 14.4 suffers from code execution, denial of service, path disclosure, remote file upload, remote SQL injection, directory traversal, file download, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43885 https://www.exploit-db.com/exploits/41691 http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Jun/8 http://www.securityfocus.com/archive/1/535679/100/0/threaded http://www.securityfocus.com/bid/75038 https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk https://seclists.org/fulldisclosure/2015/Jun/8 •