CVE-2021-43974

Name of the Vulnerable Software and Affected Versions SysAid ITIL version 20.4.74 b10

Description An issue was discovered where the /enduserreg endpoint does not respect the server-side setting for anonymous user registration. This allows an attacker to create new accounts without prior authentication by posting registration data, even if the server-side setting is configured to disable anonymous user registration. The client-side registration form is hidden when this setting is disabled, but this does not prevent attackers from registering new accounts.

Recommendations For SysAid ITIL version 20.4.74 b10, as a temporary workaround, consider restricting access to the /enduserreg endpoint to minimize the risk of exploitation. Additionally, review server-side settings to ensure that anonymous user registration is properly configured and enforced. At the moment, there is no information about a newer version that contains a fix for this vulnerability.