PT-2022-11961 · Sysaid · Sysaid Itil

Brandon Perry

Published

2022-01-11

Updated

2022-01-22

CVE-2021-43971

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SysAid ITIL version 20.4.74 b10

Description A SQL injection issue allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter in the "/mobile/SelectUsers.jsp" API endpoint.

Recommendations For SysAid ITIL version 20.4.74 b10, consider restricting access to the "/mobile/SelectUsers.jsp" endpoint until a patch is available, and avoid using the filterText parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-43971

Affected Products

Sysaid Itil

PT-2022-11961 · Sysaid · Sysaid Itil

CVE-2021-43971

Weakness Enumeration

Related Identifiers

Affected Products

References · 7