Skip to main content

Sysaid CVE-2022-23165

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2022-05-12 cna@cyber.gov.il
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 12, 2022 - 20:15 nvd
MEDIUM 6.1

DescriptionNVD

Sysaid - Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vulnerability, it's necessary for the affected product to expose the Offline Help Pages. An attacker may gain access to sensitive information or execute client-side code in the browser session of the victim user. Furthermore, an attacker would require the victim to open a malicious link. An attacker may exploit this vulnerability in order to perform phishing attacks. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system

AnalysisAI

Sysaid - Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Sysaid - Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vulnerability, it's necessary for the affected product to expose the Offline Help Pages. An attacker may gain access to sensitive information or execute client-side code in the browser session of the victim user. Furthermore, an attacker would require the victim to open a malicious link. An attacker may exploit this vulnerability in order to perform phishing attacks. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system Affected products include: Sysaid.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Sysaid

View all
CVE-2025-2775 CRITICAL POC
9.3 May 07

SysAid On-Prem versions through 23.3.40 contain an unauthenticated XXE injection in the Checkin processing, enabling adm

CVE-2025-2776 CRITICAL POC
9.3 May 07

SysAid On-Prem contains a second unauthenticated XXE injection in Server URL processing, providing an alternative attack

CVE-2015-2996 HIGH POC
8.5 Jun 08

Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrar

CVE-2015-2995 MEDIUM POC
6.8 Jun 08

The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote at

CVE-2015-2994 MEDIUM POC
6.5 Jun 08

Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators t

CVE-2015-2993 HIGH POC
7.5 Jun 08

SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers t

CVE-2015-2997 MEDIUM POC
5.0 Jun 08

SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the account

CVE-2015-2998 MEDIUM POC
5.0 Jun 08

SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensi

CVE-2025-2777 CRITICAL POC
9.3 May 07

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the l

CVE-2015-3000 HIGH POC
7.8 Jun 08

SysAid Help Desk before 15.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a lar

CVE-2023-47246 CRITICAL POC
9.8 Nov 10

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a f

CVE-2021-30486 HIGH POC
8.8 Jul 22

SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetMa

Share

CVE-2022-23165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy