CVE-2022-23165

Name of the Vulnerable Software and Affected Versions Sysaid version 14.2.0

Description The parameter helpPageName used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting issue. To exploit this, the affected product must expose the Offline Help Pages. An attacker may gain access to sensitive information or execute client-side code in the browser session of the victim user by requiring the victim to open a malicious link. This can be used to perform phishing attacks, allowing the attacker to receive sensitive data like server details, usernames, workstations, etc., and perform actions such as uploading files or deleting calls from the system.

Recommendations For Sysaid version 14.2.0, as a temporary workaround, consider restricting access to the /help/treecontent.jsp page and avoiding the use of the helpPageName parameter until a patch is available. Additionally, ensure that Offline Help Pages are not exposed to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.