CVE-2021-43972
MEDIUMSysAid ITIL 20.4.74 b10 - Authenticated Arbitrary File Copy via UserSelfServiceSettings.jsp
Title source: llmDescription
An unrestricted file copy vulnerability in /UserSelfServiceSettings.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to copy arbitrary files on the server filesystem to the web root (with an arbitrary filename) via the tempFile and fileName parameters in the HTTP POST body.
References (3)
Core 3
Core References
Product x_refsource_misc
https://www.sysaid.com/it-service-management-software/incident-management
Broken Link x_refsource_misc
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.md
Patch, Third Party Advisory x_refsource_misc
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.md
Scores
CVSS v3
6.5
EPSS
0.0146
EPSS Percentile
70.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (1)
sysaid/sysaid
20.4.74 b10
Published
Jan 11, 2022
Tracked Since
Feb 18, 2026