B3Ta

**Name of the Vulnerable Software and Affected Versions** SysAid version 20.3.64 b14 **Description** The issue is related to Cross Site Scripting (XSS) and can be exploited via the "/KeepAlive.jsp?stamp=" URI. This is a type of attack where an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For SysAid version 20.3.64 b14, as a temporary workaround, consider restricting access to the "/KeepAlive.jsp" endpoint until a patch is available. Avoid using the `stamp` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SysAid version 20.3.64 b14 **Description** The issue is related to Blind and Stacker SQL injection. It can be exploited via several API endpoints, including "AssetManagementChart.jsp" with `computerID` or `group1` parameters, "AssetManagementList.jsp" with `computerID` or `group1` parameters, and "AssetManagementSummary.jsp" with the `group1` parameter. **Recommendations** For SysAid version 20.3.64 b14, consider disabling access to the vulnerable API endpoints, such as "AssetManagementChart.jsp", "AssetManagementList.jsp", and "AssetManagementSummary.jsp", until a patch is available. Restrict the use of the `computerID` and `group1` parameters in these endpoints to minimize the risk of exploitation.