// For flags

CVE-2015-2993

SysAid Help Desk 14.4 - Multiple Vulnerabilities

Severity Score

7.5
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry.

SysAid Help Desk anterior a 15.2 no restringe correctamente el acceso a cierta funcionalidad, lo que permite a atacantes remotos (1) crear cuentas de administradores a través de una solicitud manipulada a /createnewaccount o (2) escribir en ficheros arbitrarios a través del parámetro fileName en /userentry.

SysAid Help Desk version 14.4 suffers from code execution, denial of service, path disclosure, remote file upload, remote SQL injection, directory traversal, file download, and various other vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-04-07 CVE Reserved
  • 2015-06-03 CVE Published
  • 2015-06-10 First Exploit
  • 2024-01-01 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sysaid
Search vendor "Sysaid"
Sysaid
Search vendor "Sysaid" for product "Sysaid"
<= 15.1
Search vendor "Sysaid" for product "Sysaid" and version " <= 15.1"
-
Affected