CVE-2022-47076

HIGH

Smart Office Web <20.28 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-47076. PoCs published by Tejas Pingulkar.

AI-analyzed exploit summary This exploit leverages an insecure direct object reference (IDOR) vulnerability in Smart Office Web 20.28 and earlier to disclose sensitive information without authentication. It downloads files containing employee details, login credentials, and other sensitive data via unauthenticated endpoints.

Description

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to view sensitive information via DisplayParallelLogData.aspx.

Exploits (1)

exploitdb WORKING POC
by Tejas Pingulkar · pythonwebappsaspx
https://www.exploit-db.com/exploits/51539

This exploit leverages an insecure direct object reference (IDOR) vulnerability in Smart Office Web 20.28 and earlier to disclose sensitive information without authentication. It downloads files containing employee details, login credentials, and other sensitive data via unauthenticated endpoints.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Smart Office Web 20.28 and before
No auth needed
Prerequisites: Network access to the target application · Target running vulnerable version of Smart Office Web
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.0618
EPSS Percentile 92.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (1)
smartofficepayroll/smartoffice < 20.28
Published Feb 28, 2023
Tracked Since Feb 18, 2026