Lucene search

[email protected]CVE-2015-2993

HistoryJun 08, 2015 - 2:59 p.m.

CVE-2015-2993

2015-06-0814:59:01

CWE-264

[email protected]

web.nvd.nist.gov

sysaid

help desk

vulnerability

remote attackers

admin accounts

arbitrary files

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.8

Confidence

Low

EPSS

0.817

Percentile

98.4%

JSON

SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry.

Affected configurations

NVD

Node

sysaidsysaidRange≤15.1

VendorProductVersionCPE
sysaidsysaidcpe:/a:sysaid:sysaid::::

Vendor	Product	Version	CPE
sysaid	sysaid		cpe:/a:sysaid:sysaid::::

References

packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html

seclists.org/fulldisclosure/2015/Jun/8

www.securityfocus.com/archive/1/535679/100/0/threaded

www.securityfocus.com/bid/75038

www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.8

Confidence

Low

EPSS

0.817

Percentile

98.4%

JSON

Related for CVE-2015-2993

nvd1 cvelist1 prion1 openvas1 packetstorm1 securityvulns1 zdt1 exploitpack1 exploitdb1