Lucene search

[email protected]NVD:CVE-2023-33706

HistoryNov 24, 2023 - 2:15 a.m.

CVE-2023-33706

2023-11-2402:15:42

CWE-639

[email protected]

web.nvd.nist.gov

sysaid

23.2.15

idor

vulnerability

emailhtmlsourceiframe.jsp

showmessage.jsp

ticket data

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

18.1%

JSON

SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp.

Affected configurations

Nvd

Node

sysaidsysaidRange<23.2.15on-premises

sysaidsysaidRange<23.2.50cloud

VendorProductVersionCPE
sysaidsysaid*cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*
sysaidsysaid*cpe:2.3:a:sysaid:sysaid:*:*:*:*:cloud:*:*:*

Vendor	Product	Version	CPE
sysaid	sysaid	*	cpe:2.3:a:sysaid:sysaid:::::on-premises:::*
sysaid	sysaid	*	cpe:2.3:a:sysaid:sysaid:::::cloud:::*

References

blog.pridesec.com.br/en/insecure-direct-object-reference-idor-affects-helpdesk-sysaid/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

18.1%

JSON

Related for NVD:CVE-2023-33706

cve1 prion1 cvelist1