CVE-2015-2996 : Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 all

Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.

Published 2015-06-08 14:59:05

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversalDenial of service

Products affected by CVE-2015-2996

Sysaid » Sysaid
Versions up to, including, (<=) 15.1
cpe:2.3:a:sysaid:sysaid:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-2996

EPSS FAQ

91.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2015-2996

SysAid Help Desk Arbitrary File Download

Disclosure Date: 2015-06-03

First seen: 2020-04-26

auxiliary/admin/http/sysaid_file_download

This module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we ab

More information
SysAid Help Desk Database Credentials Disclosure

Disclosure Date: 2015-06-03

First seen: 2020-04-26

auxiliary/admin/http/sysaid_sql_creds

This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. This is used to download the server configuration file that contains the database username and password, which is encrypted

More information

CVSS scores for CVE-2015-2996

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.5	HIGH	AV:N/AC:L/Au:N/C:P/I:N/A:C	10.0	7.8	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Complete

CWE ids for CVE-2015-2996

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-2996

http://seclists.org/fulldisclosure/2015/Jun/8

Full Disclosure: [Multiple CVE's]: various critical vulnerabilities in SysAid Help Desk (RCE, file download, DoS, etc)
Exploit

CVEs referencing this url
http://www.securityfocus.com/archive/1/535679/100/0/threaded

SecurityFocus

CVEs referencing this url
https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk

SysAid 15.2: Your Voice, Your Service Desk | SysAid Blog
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/75038

SysAid Multiple Security Vulnerabilities

CVEs referencing this url
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html

SysAid Help Desk 14.4 Code Execution / Denial Of Service / Traversal / SQL Injection ≈ Packet Storm
Exploit

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-2996