CVE-2022-22798 MEDIUM

CVE-2022-22798: Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control

Vendor Sysaid
Product Sysaid
Published May 12, 2022
Last update September 17, 2024

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp after that he will receive an error message with a login button, by clicking on it, he will connect to the system dashboard. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system.

Key dates

02Disclosure timeline

May 12, 2022 CVE published
September 17, 2024 Record updated