CVE Vulnerability

CVE-2021-43972

An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body.

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 6.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.md Broken Link
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.md Patch Third Party Advisory
https://www.sysaid.com/it-service-management-software/incident-management Product
Configurations

Configuration 1

cpe:2.3:a:sysaid:sysaid:20.4.74:b10:*:*:*:*:*:*
Information

Published : 2022-01-11 08:15

Updated : 2022-01-20 05:08

NVD link : CVE-2021-43972

Mitre link : CVE-2021-43972

Products Affected
No products.
CWE
NVD-CWE-Other