SysAid Unauthenticated File Upload Vulnerability

Published: 2015-06-11 03:02:43
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:

Detection Type:

Solution Type:
Vendor Patch

SysAid Help Desktop Software is prone to a unauthenticated file upload vulnerability

Detection Method:
Determine if the vulnerable service is reachable and then check the version.

Technical Details:
The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in a insecure way. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection against null byte injection in file names.

An unauthenticated attacker can upload arbitrary files which could lead to remote code execution.

Affected Versions:
SysAid Help Desktop version 15.1.x and before.

Upgrade to version 15.2 or later.

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)


CVSS Score

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.