SysAid On-Prem XML External Entity Vulnerability Allowing Admin Account Takeover

A vulnerability allowing unauthenticated XML External Entity (XXE) injection has been identified in SysAid On-Prem versions through 23.3.40. This vulnerability exists in the lshw processing functionality and can be exploited to take over administrator accounts and read sensitive files.

Impact

Exploitation of this vulnerability allows for unauthorized access to administrator accounts, potentially leading to full control over the SysAid application.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/mdm/serverurl' or '/lshw' endpoints with a crafted XML payload that includes a reference to an external DTD. This DTD can be hosted on an attacker-controlled server and, once fetched, can be used to exfiltrate files from the victim's system. The XXE vulnerability can also be exploited by parsing the response of the initial request, which will include the contents of the requested file, indicating successful exploitation.

Remediation

Users can upgrade to SysAid On-Prem version 24.4.60 or later, where this vulnerability has been patched.