CVE-2022-47075

HIGH EXPLOITED NUCLEI

Smart Office Web <20.28 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-47075 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit. A Nuclei detection template is also available.

AI-analyzed exploit summary This script exploits an unauthenticated IDOR vulnerability in Smart Office Web 20.28 and earlier, allowing remote information disclosure by directly accessing sensitive endpoints. It downloads CSV and text files containing employee details, login data, and other sensitive information.

Description

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.

Exploits (1)

exploitdb WORKING POC
pythonwebappsaspx
https://www.exploit-db.com/exploits/51539

This script exploits an unauthenticated IDOR vulnerability in Smart Office Web 20.28 and earlier, allowing remote information disclosure by directly accessing sensitive endpoints. It downloads CSV and text files containing employee details, login data, and other sensitive information.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Smart Office Web 20.28 and before
No auth needed
Prerequisites: Network access to the target application · Target running vulnerable version of Smart Office Web
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Smart Office Web 20.28 - Information Disclosure
HIGHVERIFIEDby r3Y3r53

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.5941
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2025-05-12
Status published
Products (1)
smartofficepayroll/smartoffice < 20.28
Published Feb 28, 2023
Tracked Since Feb 18, 2026