Cyber Resilience

CVE-2022-47075

HighPublic PoC

Published: 28 February 2023

Published
28 February 2023
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9205 99.7th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-47075 is a high-severity an unspecified weakness vulnerability in Smartofficepayroll Smartoffice. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Smart Office Web versions 20.28 and earlier contain an information disclosure vulnerability that permits unauthenticated remote attackers to retrieve sensitive data by supplying crafted values to the action name parameter of ExportEmployeeDetails.aspx and ExportReportingManager.aspx. The flaw is reflected in a CVSS 3.1 base score of 7.5 and stems from missing authorization checks on these export endpoints.

An attacker with network access can directly invoke the affected endpoints without credentials or user interaction, resulting in the download of employee or reporting-manager details that should otherwise be restricted. The high EPSS score, currently 0.9205 with a recorded peak of 0.9253, indicates substantial exploitation interest following public disclosure.

Public references consist primarily of proof-of-concept listings and walkthroughs rather than vendor advisories; consequently no official patch or mitigation guidance is documented in the supplied sources. The consistently elevated EPSS values since publication suggest the issue has drawn sustained attention from potential threat actors.

EU & UK References

Vulnerability details

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

smartofficepayroll
smartoffice
≤ 20.28

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References