CVE-2022-40325 SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262.

Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Upload button, aka FR# 67955. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Add New Asset button, aka FR# 67985. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Search button, aka FR# 68012. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Asset list, aka FR# 68012. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Asset Details view, aka FR# 68012. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Asset Details view - Details field, aka FR# 68012. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Asset Details view - Currency field, aka FR# 68012. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Asset Details view - Position field, aka FR# 68012. Resolution - Upgrade to version 22.1.77 or later. XSS in the Asset Dashboard via the Asset Details view - Symbol field, aka FR# 68012.

Summary

There are five vulnerabilities in Asset Platform 22.1.77 and later, that can be exploited by cross-site scripting (XSS) attacks when uploading assets to a portfolio.

1. CVE-2022-40325 - Upload button XSS resulting in file disclosure on upload 2. FR# 67955 - XSS in the Asset Dashboard via the Add New Asset button 3. FR# 67985 - XSS in the Asset Dashboard via the Search button 4. FR# 68012 - XSS in the Asset Dashboard via the Asset list 5. FR# 68012 - XSS in the Asset Dashboard via the asset Details view 6. FR# 68012 - XSS in the Asset Dashboard via the asset Details view - Details field 7. FR# 68012 - XSS in the Asset Dashboard via the asset Details view - Currency field 8. FR# 68012 - XSS in
The vulnerability is caused due to insufficient validation of user input when uploading new assets to a portfolio

Other CVEs

CVE-2022-40325 - XSS in the Asset Dashboard via the Upload button

References:

FR# 67955: http://www.fortinet.com/security-center/advisories/67955
FR# 67985: http://www.fortinet.com/security-center/advisories/67985
FR# 68012: http://www.fortinet.com/security-center/advisories/68012
FR# 68012: https://support.fortinet.com/kb/articles?article=7834

Timeline

Published on: 09/11/2022 21:15:00 UTC
Last modified on: 09/15/2022 03:46:00 UTC

References

• https://documentation.sysaid.com/docs/22165-release-notes
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40325