CVE-2021-43972 — MEDIUM (6.5)

Vulnerability Description

An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Sysaid	Sysaid	20.4.74

References

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.mdBroken Link
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.mdPatchThird Party Advisory
https://www.sysaid.com/it-service-management-software/incident-managementProduct
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.mdBroken Link
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.mdPatchThird Party Advisory
https://www.sysaid.com/it-service-management-software/incident-managementProduct

FAQ

What is CVE-2021-43972?

CVE-2021-43972 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web ro...

How severe is CVE-2021-43972?

CVE-2021-43972 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-43972?

Check the references section above for vendor advisories and patch information. Affected products include: Sysaid Sysaid.