CVE-2023-47246

Published Nov 10, 2023

Last updated 5 months ago

Exploit knownCVSS critical 9.8

Overview

Description
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
Source
cve@mitre.org
NVD status
Analyzed
Products
sysaid

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
SysAid Server Path Traversal Vulnerability
Exploit added on
Nov 13, 2023
Exploit action due
Dec 4, 2023
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-22
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.CVE-2025-2777
  2. SysAid On-Prem Improper Restriction of XML External Entity Reference VulnerabilityCVE-2025-2776
  3. SysAid On-Prem Improper Restriction of XML External Entity Reference VulnerabilityCVE-2025-2775
  4. SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')CVE-2024-36394
  5. SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CVE-2024-36393

References

Sources include official advisories and independent security research.