CVE-2015-2999

Name of the Vulnerable Software and Affected Versions SysAid Help Desk versions prior to 15.2

Description The issue allows remote administrators to execute arbitrary SQL commands. This can be achieved through various means, including the groupFilter parameter in an AssetDetails report to "/genericreport", the customSQL parameter in a TopAdministratorsByAverageTimer report or an ActiveRequests report to "/genericreport", the dir parameter to HelpDesk.jsp, or the grantSQL parameter to RFCGantt.jsp.

Recommendations For versions prior to 15.2, update to version 15.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters, such as groupFilter, customSQL, dir, and grantSQL, until a patch is available. Avoid using these parameters in the affected API endpoints and JSP files until the issue is resolved.