cbcvebase.
CVE-2022-47075
published 2023-02-28

CVE-2022-47075: An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.41%
99.0th percentile
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.

Affected

1 ranges
VendorProductVersion rangeFixed in
smartofficepayrollsmartoffice<= 20.28

Detection & IOCsextracted from sources · hover to see the quote

path/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails
path/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails
path/ExportReportingManager.aspx
path/DisplayParallelLogData.aspx
path/ExportEmployeeLoginDetails.aspx
filenameExportEmployeeDetails.csv
filenameExportReportingManager.csv
filenameExportEmployeeLoginDetails.csv
sigma
HTTP GET to /ExportReportingManager.aspx returning HTTP 200 with content-type application/CSV containing 'EmployeeName' and 'EmployeeCode'
  • Detect unauthenticated GET requests to the vulnerable export endpoints: /ExportEmployeeDetails.aspx, /ExportReportingManager.aspx, /ExportEmployeeLoginDetails.aspx, and /DisplayParallelLogData.aspx — especially with ActionName query parameters.
  • Flag HTTP responses with Content-Type 'application/CSV' from Smart Office Web endpoints containing the strings 'EmployeeName' and 'EmployeeCode' in the body, which indicate successful sensitive data exfiltration.
  • Use the Shodan dork to identify exposed Smart Office Web instances on the internet that may be targeted.
  • Monitor for downloads of files named ExportEmployeeDetails.csv, ExportReportingManager.csv, ExportEmployeeLoginDetails.csv, ExportEmployeeOtherDetails.csv, or DisplayParallelLogData.txt from Smart Office Web servers, as these are the output artifacts of successful exploitation.
  • ·CVE-2022-47075 covers ExportEmployeeDetails.aspx and ExportReportingManager.aspx. A related but distinct CVE (CVE-2022-47076) covers additional endpoints including DisplayParallelLogData.aspx and ExportEmployeeLoginDetails.aspx. The exploit script targets both CVEs together.
  • ·The vendor partially patched the vulnerability in versions after 20.28, but ExportEmployeeDetails.aspx remained vulnerable even in later versions according to the researcher.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.