Reflected XSS Vulnerability in SysAid by SysAid Technologies
CVE-2020-13168

6.1MEDIUM

Key Information:

Vendor: Sysaid
Status: Sysaidsy On-premises; Sysaid On-premises
Vendor: CVE Published:; 2 October 2020

What is CVE-2020-13168?

The vulnerability in SysAid versions prior to 20.1.11b26 allows attackers to exploit the 'ForgotPassword.jsp' endpoint, enabling reflected cross-site scripting (XSS). This flaw permits the injection of malicious scripts through the 'accountid' parameter, which can lead to unauthorized access and manipulation of user sessions. Users and organizations utilizing affected versions must take urgent action to secure their applications against potential exploitation.

References

https://www.sysaid.com/product/on-premise/latest-release

x_refsource_MISC

https://github.com/lodestone-security/CVEs/tree/master/CV...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2020
Vulnerability Reserved
May 19, 2020

Sysaid

What is CVE-2020-13168?

References

CVSS V3.1

Timeline