Vulnerability CVE-2015-3000
Published: 2015-06-08

Description:
SysAid Help Desk before 15.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an XML document to (1) /agententry, (2) /rdsmonitoringresponse, or (3) /androidactions, aka an XML Entity Expansion (XEE) attack.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
SysAid Help Desk 14.4 Multiple Vulnerabilities
Agile
26.01.2018

Type:

CWE-399

 (Resource Management Errors)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete
Affected software
Sysaid -> Sysaid 

 References:
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html
http://seclists.org/fulldisclosure/2015/Jun/8
http://www.securityfocus.com/archive/1/535679/100/0/threaded
http://www.securityfocus.com/bid/75038
https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
Copyright 2024, cxsecurity.com

 

Back to Top