SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp.
References
| Link | Resource |
|---|---|
| https://blog.pridesec.com.br/en/insecure-direct-object-reference-idor-affects-helpdesk-sysaid/ | Exploit Third Party Advisory |
| https://blog.pridesec.com.br/en/insecure-direct-object-reference-idor-affects-helpdesk-sysaid/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:05
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://blog.pridesec.com.br/en/insecure-direct-object-reference-idor-affects-helpdesk-sysaid/ - Exploit, Third Party Advisory |
30 Nov 2023, 20:28
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-639 | |
| CPE | cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:* cpe:2.3:a:sysaid:sysaid:*:*:*:*:cloud:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| First Time |
Sysaid
Sysaid sysaid |
|
| References | () https://blog.pridesec.com.br/en/insecure-direct-object-reference-idor-affects-helpdesk-sysaid/ - Exploit, Third Party Advisory |
24 Nov 2023, 02:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-11-24 02:15
Updated : 2024-11-21 08:05
NVD link : CVE-2023-33706
Mitre link : CVE-2023-33706
CVE.ORG link : CVE-2023-33706
JSON object : View
Products Affected
sysaid
- sysaid
CWE
CWE-639
Authorization Bypass Through User-Controlled Key