CVE-2021-43973

Published: Jan 11, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, server-side filesystem path of the uploaded file.

Affected (1)

Products: Sysaid: Sysaid

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sysaid Sysaid	Version 20.4.74 b10

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.md

Source: cve@mitre.org

Broken Link

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.md

Source: cve@mitre.org

PatchThird Party Advisory

https://www.sysaid.com/it-service-management-software/incident-management

Source: cve@mitre.org

Product

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.md

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.md

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.sysaid.com/it-service-management-software/incident-management

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.