CVE-2022-22796 and CVE-2022-23166 fix availability

 
Author
Message
SysAider
3
 
When will Sysaid On Prem have fixes available for CVE-2022-22796 and CVE-2022-23166? I only see 21.4.45 available, which is at risk to these vulnerabilities.

CVE-2022-22796 - CVSS 9.8
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
https://nvd.nist.gov/vuln/detail/CVE-2022-22796

CVE-2022-23166 - CVSS 9.8
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
https://nvd.nist.gov/vuln/detail/CVE-2022-23166#vulnCurrentDescriptionTitle
SysAid Product Manager Community Manager
393
 
Hi omillero,
Version 22.1.65 is available as release candidate here:
https://community.sysaid.com/Sysforums/posts/list/17592.page

And it includes fixes to:
CVE-2021-36721, CVE-2021-22796, CVE-2022-22798, CVE-2022-23165 and CVE-2022-23166.

Please go in install our release candidate and share feedback on the forum to get 25$ amazon gift card!

Cheers,
Maayan


omillero wrote:When will Sysaid On Prem have fixes available for CVE-2022-22796 and CVE-2022-23166? I only see 21.4.45 available, which is at risk to these vulnerabilities.

CVE-2022-22796 - CVSS 9.8
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
https://nvd.nist.gov/vuln/detail/CVE-2022-22796

CVE-2022-23166 - CVSS 9.8
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
https://nvd.nist.gov/vuln/detail/CVE-2022-23166#vulnCurrentDescriptionTitle

This message was edited 2 times. Last update was at May. 26, 2022 02:12 PM

SysAider
3
 
Perfect. Thanks for the quick reply!
SysAid Product Manager Community Manager
393
 
With pleasure

omillero wrote:Perfect. Thanks for the quick reply!