CVE-2023-47246: SysAid Server Path Traversal Vulnerability
First published: Fri Nov 10 2023(Updated: )
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sysaid On-Premises | <23.3.36 | |
| SysAid Server | ||
| SysAid |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://documentation.sysaid.com/docs/on-premise-security-enhancements-2023
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
- https://documentation.sysaid.com/docs/latest-version-installation-files
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification;
- https://nvd.nist.gov/vuln/detail/CVE-2023-47246
Frequently Asked Questions
What is CVE-2023-47246?
CVE-2023-47246 is a path traversal vulnerability in SysAid Server that allows an attacker to execute code by writing a file to the Tomcat webroot.
What is the severity of CVE-2023-47246?
CVE-2023-47246 has a severity score of 9.8, which is considered critical.
How does CVE-2023-47246 affect SysAid Server?
CVE-2023-47246 affects SysAid Server versions before 23.3.36, allowing an attacker to exploit a path traversal vulnerability.
How can I fix CVE-2023-47246?
To fix CVE-2023-47246, you should upgrade to SysAid Server version 23.3.36 or later.
Where can I find more information about CVE-2023-47246?
You can find more information about CVE-2023-47246 in the SysAid On-Premise Security Enhancements documentation and the SysAid blog.
- agent/type
- agent/first-publish-date
- agent/title
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/last-modified-date
- agent/trending
- agent/source
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- zeroday/true
- vendor/sysaid
- canonical/sysaid on-premises
- canonical/sysaid server
- canonical/sysaid