CVE-2022-23166 MEDIUM

CVE-2022-23166: Sysaid – Sysaid Local File Inclusion (LFI)

Vendor Sysaid
Product Sysaid
Published May 12, 2022
Last update September 16, 2024

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.

Key dates

02Disclosure timeline

May 12, 2022 CVE published
September 16, 2024 Record updated