Anonymous User Registration Bypass in SysAid ITIL by SysAid
CVE-2021-43974

5.3MEDIUM

Key Information:

Vendor
Sysaid
Status
Itil
Vendor
CVE Published:
11 January 2022

Summary

A security flaw exists in SysAid ITIL 20.4.74 b10 that allows unauthenticated users to register for new accounts. The /enduserreg endpoint fails to adhere to server-side configurations that restrict anonymous user registration. In instances where the server setting is adjusted to disable anonymous registrations, only the client-side form is concealed. Unscrupulous users can still submit registration data, thereby creating accounts without proper authentication, posing potential risks to the integrity of the system.

References

https://www.sysaid.com/it-service-management-software/inc...
x_refsource_MISC
https://github.com/atredispartners/advisories/blob/master...
x_refsource_MISC
https://github.com/atredispartners/advisories/blob/master...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.