Sysaid: >> Sysaid >> 22.1.64 Security Vulnerabilities
CVE-2025-2775
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
Known exploited
CVSS Score
9.3
EPSS Score
0.559
Published
2025-05-07
CVE-2025-2776
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Known exploited
CVSS Score
9.3
EPSS Score
0.488
Published
2025-05-07
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
CVSS Score
9.3
EPSS Score
0.131
Published
2025-05-07
SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS Score
9.9
EPSS Score
0.002
Published
2024-06-06
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Score
9.1
EPSS Score
0.002
Published
2024-06-06
In SysAid On-Premise before 23.3.34, there is an edge case in which an end user is able to delete a Knowledge Base article, aka bug 15102.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-12-25
SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-11-24
CVE-2023-47246
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2023-11-10