CVE-2022-47076
published 2023-02-28CVE-2022-47076: An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to view sensitive information via DisplayParallelLogData.aspx.
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.18%
92.6th percentile
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to view sensitive information via DisplayParallelLogData.aspx.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartofficepayroll | smartoffice | <= 20.28 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP GET requests to /DisplayParallelLogData.aspx, /ExportEmployeeDetails.aspx, /ExportReportingManager.aspx, and /ExportEmployeeLoginDetails.aspx — successful unauthenticated access to any of these endpoints indicates active exploitation of the IDOR vulnerability. ↗
- →Use the Shodan dork 'smart office' (inurl search) to identify exposed Smart Office Web instances on the internet that may be targeted. ↗
- →Alert on HTTP responses returning CSV or log file content (e.g., employee credentials, login details) from the identified .aspx endpoints without a prior authenticated session. ↗
- →Note that even patched versions remain vulnerable via /ExportEmployeeDetails.aspx — continue monitoring this endpoint regardless of reported patch status. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-Disclosure-Insecure-Direct-Object-Reference.htmlhttps://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/https://cvewalkthrough.com/smart-office-suite-unauthenticated-data-ex/https://youtu.be/D42upepxzwMhttp://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-Disclosure-Insecure-Direct-Object-Reference.htmlhttps://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/https://cvewalkthrough.com/smart-office-suite-unauthenticated-data-ex/https://youtu.be/D42upepxzwM
2023-02-28
Published