CVE-2023-33706

Name of the Vulnerable Software and Affected Versions SysAid versions prior to 23.2.15

Description The issue allows for Indirect Object Reference (IDOR) attacks, enabling unauthorized access to protected information. This can be achieved by modifying the sid parameter to EmailHtmlSourceIframe.jsp or the srID parameter to ShowMessage.jsp. The vulnerability is related to bypassing authorization through the use of a user-controlled key, which can allow a remote attacker to gain unauthorized access to sensitive data.

Recommendations For versions prior to 23.2.15, update to version 23.2.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the EmailHtmlSourceIframe.jsp and ShowMessage.jsp pages until a patch is available. Avoid using the sid and srID parameters in the affected API endpoints until the issue is resolved.