CVE-2022-47075

high-risk
Published 2023-02-28

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.

Do I need to act?

!
92.1% chance of exploitation in next 30 days
EPSS score — higher than 8% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
51539
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Smartofficepayroll

References (8)

http://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-D...
Exploit https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
Broken Link https://cvewalkthrough.com/smart-office-suite-unauthenticated-data-ex/
Permissions Required https://youtu.be/D42upepxzwM
http://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-D...
Exploit https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
Broken Link https://cvewalkthrough.com/smart-office-suite-unauthenticated-data-ex/
Permissions Required https://youtu.be/D42upepxzwM
51
/ 100
high-risk
Severity 26/34 · High
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal