When will Sysaid On Prem have fixes available for CVE-2022-22796 and CVE-2022-23166? I only see 21.4.45 available, which is at risk to these vulnerabilities.
CVE-2022-22796 - CVSS 9.8
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
https://nvd.nist.gov/vuln/detail/CVE-2022-22796
CVE-2022-23166 - CVSS 9.8
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
https://nvd.nist.gov/vuln/detail/CVE-2022-23166#vulnCurrentDescriptionTitle
Userlevel 5
Hi omillero,
Version 22.1.65 is available as release candidate here:
https://community.sysaid.com/Sysforums/posts/list/17592.page
And it includes fixes to:
CVE-2021-36721, CVE-2021-22796, CVE-2022-22798, CVE-2022-23165 and CVE-2022-23166.
Please go in install our release candidate and share feedback on the forum to get 25$ amazon gift card!
Cheers,
Maayan
Version 22.1.65 is available as release candidate here:
https://community.sysaid.com/Sysforums/posts/list/17592.page
And it includes fixes to:
CVE-2021-36721, CVE-2021-22796, CVE-2022-22798, CVE-2022-23165 and CVE-2022-23166.
Please go in install our release candidate and share feedback on the forum to get 25$ amazon gift card!
Cheers,
Maayan
omillero
When will Sysaid On Prem have fixes available for CVE-2022-22796 and CVE-2022-23166? I only see 21.4.45 available, which is at risk to these vulnerabilities.
CVE-2022-22796 - CVSS 9.8
Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
https://nvd.nist.gov/vuln/detail/CVE-2022-22796
CVE-2022-23166 - CVSS 9.8
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
https://nvd.nist.gov/vuln/detail/CVE-2022-23166#vulnCurrentDescriptionTitle
Perfect. Thanks for the quick reply!
Userlevel 5
With pleasure 
omillero
Perfect. Thanks for the quick reply!
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
