Lucene search

INCDCVELIST:CVE-2022-23166

HistoryMay 12, 2022 - 7:49 p.m.

CVE-2022-23166 Sysaid – Sysaid Local File Inclusion (LFI)

2022-05-1219:49:52

INCD

www.cve.org

sysaid

local file inclusion

lfi

unauthenticated attacker

update

cloud version

on premise version

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

54.9%

JSON

Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to “/lib/tinymce/examples/index.html” path. in the “Insert/Edit Embedded Media” window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.

CNA Affected

[
  {
    "platforms": [
      "cloud"
    ],
    "product": "Sysaid",
    "vendor": "SysAid",
    "versions": [
      {
        "lessThanOrEqual": "22.2.19",
        "status": "affected",
        "version": "22.2.19 cloud version",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "on premise"
    ],
    "product": "Sysaid",
    "vendor": "SysAid",
    "versions": [
      {
        "lessThanOrEqual": "22.1.63",
        "status": "affected",
        "version": "22.1.63 on premise version",
        "versionType": "custom"
      }
    ]
  }
]

References

www.gov.il/en/departments/faq/cve_advisories