CVE-2022-47075
Published: 28 February 2023
Summary
CVE-2022-47075 is a high-severity an unspecified weakness vulnerability in Smartofficepayroll Smartoffice. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Smart Office Web versions 20.28 and earlier contain an information disclosure vulnerability that permits unauthenticated remote attackers to retrieve sensitive data by supplying crafted values to the action name parameter of ExportEmployeeDetails.aspx and ExportReportingManager.aspx. The flaw is reflected in a CVSS 3.1 base score of 7.5 and stems from missing authorization checks on these export endpoints.
An attacker with network access can directly invoke the affected endpoints without credentials or user interaction, resulting in the download of employee or reporting-manager details that should otherwise be restricted. The high EPSS score, currently 0.9205 with a recorded peak of 0.9253, indicates substantial exploitation interest following public disclosure.
Public references consist primarily of proof-of-concept listings and walkthroughs rather than vendor advisories; consequently no official patch or mitigation guidance is documented in the supplied sources. The consistently elevated EPSS values since publication suggest the issue has drawn sustained attention from potential threat actors.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-49852
Vulnerability details
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.