Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-22798

Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp after that he will receive an error message with a login button, by clicking on it, he will connect to the system dashboard. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system.

Published

2022-05-12T20:15:14.977

Last Modified

2024-11-21T06:47:28.560

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.0

Impact Score

10.0

Weaknesses

Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sysaid	sysaid	< 21.1.50	Yes
Application	sysaid	sysaid	< 22.1.64	Yes

References

https://www.gov.il/en/departments/faq/cve_advisories Third Party Advisory ([email protected])
https://www.gov.il/en/departments/faq/cve_advisories Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)