CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36394 – SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
https://notcve.org/view.php?id=CVE-2024-36394
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') SysAid - CWE-78: Neutralización inadecuada de elementos especiales utilizados en un comando del sistema operativo ("Inyección de comando del sistema operativo") • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36393 – SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://notcve.org/view.php?id=CVE-2024-36393
SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SysAid - CWE-89: Neutralización inadecuada de elementos especiales utilizados en un comando SQL ("Inyección SQL") • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47247
https://notcve.org/view.php?id=CVE-2023-47247
In SysAid On-Premise before 23.3.34, there is an edge case in which an end user is able to delete a Knowledge Base article, aka bug 15102. En SysAid On-Premise anterior al 23.3.34, hay un caso extremo en el que un usuario final puede eliminar un artículo de la base de conocimientos, también conocido como error 15102. • https://documentation.sysaid.com/docs/23334 •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-33706
https://notcve.org/view.php?id=CVE-2023-33706
SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp. SysAid anterior a 23.2.15 permite que los ataques de Indirect Object Reference (IDOR) lean datos de tickets a través de un parámetro sid modificado en EmailHtmlSourceIframe.jsp o un parámetro srID modificado en ShowMessage.jsp. • https://blog.pridesec.com.br/en/insecure-direct-object-reference-idor-affects-helpdesk-sysaid • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 3CVE-2023-47246 – SysAid Server Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2023-47246
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023. En SysAid On-Premise anterior al 23.3.36, una vulnerabilidad de path traversal conduce a la ejecución de código después de que un atacante escribe un archivo en la raíz web de Tomcat, tal como se explotó en noviembre de 2023. SysAid Server (on-premises version) contains a path traversal vulnerability that leads to code execution. • https://github.com/W01fh4cker/CVE-2023-47246-EXP https://github.com/tucommenceapousser/CVE-2023-47246 https://documentation.sysaid.com/docs/latest-version-installation-files https://documentation.sysaid.com/docs/on-premise-security-enhancements-2023 https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •