When will Sysaid On Prem have fixes available for CVE-2022-22796 and CVE-2022-23166? I only see 21.4.45 available, which is at risk to these vulnerabilities.
CVE-2022-22796 - CVSS 9.8
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
https://nvd.nist.gov/vuln/detail/CVE-2022-22796
CVE-2022-23166 - CVSS 9.8
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
https://nvd.nist.gov/vuln/detail/CVE-2022-23166#vulnCurrentDescriptionTitle
CVE-2022-22796 - CVSS 9.8
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
https://nvd.nist.gov/vuln/detail/CVE-2022-22796
CVE-2022-23166 - CVSS 9.8
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
https://nvd.nist.gov/vuln/detail/CVE-2022-23166#vulnCurrentDescriptionTitle
