CVE-2015-2994

Name of the Vulnerable Software and Affected Versions SysAid Help Desk versions prior to 15.2

Description The issue concerns an unrestricted file upload vulnerability. This allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension to the icons/user photo/ directory, and then accessing it via a direct request.

Recommendations For versions prior to 15.2, update to version 15.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the ChangePhoto.jsp file and limiting the types of files that can be uploaded to prevent exploitation.