Sysaid: >> Sysaid >> 20.4.74 Security Vulnerabilities
A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter.
CVSS Score
8.8
EPSS Score
0.006
Published
2022-01-11
An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-01-11
An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, server-side filesystem path of the uploaded file.
CVSS Score
8.8
EPSS Score
0.008
Published
2022-01-11
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.
CVSS Score
6.1
EPSS Score
0.413
Published
2021-10-29