CVE-2015-2993

SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to 1 create administrator accounts via a crafted request to /createnewaccount or 2 write to arbitrary files via the fileName parameter to /userentry...

CVE-2015-2994

Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/userphoto/...

CVE-2015-2995

The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file...

CVE-2015-2997

SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal sequence, which reveals the installation path in an error message...

CVE-2015-2998

SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensitive information, as demonstrated by decrypting the database password in WEB-INF/conf/serverConf.xml...

CVE-2015-2999

Multiple SQL injection vulnerabilities in SysAid Help Desk before 15.2 allow remote administrators to execute arbitrary SQL commands via the 1 groupFilter parameter in an AssetDetails report to /genericreport, customSQL parameter in a 2 TopAdministratorsByAverageTimer report or an 3 ActiveRequest...

CVE-2015-3000

SysAid Help Desk before 15.2 allows remote attackers to cause a denial of service CPU and memory consumption via a large number of nested entity references in an XML document to 1 /agententry, 2 /rdsmonitoringresponse, or 3 /androidactions, aka an XML Entity Expansion XEE attack...

CVE-2015-3001

SysAid Help Desk before 15.2 uses a hardcoded password of Password1 for the sa SQL Server Express user account, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password...

CVE-2015-2999

CVE-2015-2999: SysAid Help Desk prior to 15.2 contains multiple SQL injection vulnerabilities. The injected vectors include (1) groupFilter in AssetDetails via /genericreport, (2) customSQL in TopAdministratorsByAverageTimer and (3) ActiveRequests via /genericreport, (4) dir parameter to HelpDesk...

CVE-2015-2995

CVE-2015-2995 affects SysAid Help Desk prior to 15.2, in the RdsLogsEntry servlet, where improper file-extension checking allows remote upload and execution of arbitrary files via a NULL byte after the extension (e.g., .war%00). Connected sources confirm a concrete exploit surface, including a Me...

CVE-2015-2993

SysAid Help Desk before 15.2 is affected by an access-control flaw that lets unauthenticated attackers (1) create administrator accounts via /createnewaccount and (2) write arbitrary files via the fileName parameter to /userentry. Public material confirms vulnerable versions and root cause as imp...

CVE-2015-2997

SysAid Help Desk (pre-15.2) vulnerability CVE-2015-2997: an information-disclosure path vulnerability via the accountId parameter in getAgentLogFile can reveal installation paths. The CVE is leveraged by combined directory-traversal flaws (CVE-2015-2996) to enable arbitrary file download, demonst...

CVE-2015-3000

SysAid Help Desk before 15.2 is affected by an XML Entity Expansion (XEE) vulnerability that can be triggered via requests to /agententry, /rdsmonitoringresponse, or /androidactions, allowing denial of service through large nested entity references. Root cause is improper handling of XML entities...

CVE-2015-2996

Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to 1 read arbitrary files via a .. dot dot in the fileName parameter to getGfiUpgradeFile or 2 cause a denial of service CPU and memory consumption via a .. dot dot in the fileName parameter to...

CVE-2015-2996

CVE-2015-2996 affects SysAid Help Desk prior to 15.2. It involves directory traversal vulnerabilities that allow remote attackers to read arbitrary files via .. in the fileName parameter to getGfiUpgradeFile, and to cause a denial of service via .. in the fileName parameter to calculateRdsFileChe...

CVE-2015-3001

SysAid Help Desk (SysAid Help Desk before 15.2) is affected by multiple vulnerabilities including CVE-2015-3001 (use of a hard-coded sa password: Password1) and CVE-2015-2993 (administrator account creation). The issues enable bypass of access restrictions and potential remote compromise; some en...

CVE-2015-2994

CVE-2015-2994 is an unrestricted file upload vulnerability in SysAid Help Desk’s ChangePhoto.jsp (before 15.2). An attacker with admin access can upload a .jsp and access it via icons/user_photo/, enabling arbitrary code execution on the server. Evidence of exploitation/poCs exists (Metasploit mo...

CVE-2015-2998

SysAid Help Desk (before version 15.2) is affected by CVE-2015-2998 due to a hardcoded encryption key used to encrypt sensitive data. The vulnerability allows remote attackers to obtain sensitive information by decrypting the database password stored in WEB-INF/conf/serverConf.xml, as demonstrate...

[Multiple CVE's]: various critical vulnerabilities in SysAid Help Desk (RCE, file download, DoS, etc)

Hi, tl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE. SysAid have informed me they all have been fixed in 15.2, but no re-test was performed. Full advisory below, and a copy can be obtained at 1. 5 Metasploit modules have been released and currently awaiting merge in the moderati...

SysAid Help Desk 14.4 Multiple Vulnerabilities

SysAid Help Desk version 14.4 suffers from code execution, denial of service, path disclosure, remote file upload, remote SQL injection, directory traversal, file download, and various other vulnerabilities. Found lots of vulns in SysAid Help Desk 14.4, including RCE. SysAid have informed me they...