CVE-2022-47076
Published: 28 February 2023
Summary
CVE-2022-47076 is a high-severity an unspecified weakness vulnerability in Smartofficepayroll Smartoffice. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-47076 is an information disclosure vulnerability affecting Smart Office Web version 20.28 and earlier. The flaw resides in the DisplayParallelLogData.aspx endpoint and permits unauthenticated remote access to sensitive data, as reflected in its CVSS 7.5 rating with a network attack vector, no required privileges or user interaction, and high confidentiality impact.
An attacker can send crafted requests to the vulnerable endpoint to retrieve sensitive information through insecure direct object reference. Because the issue requires no authentication, exploitation is possible by any remote party able to reach the web application, resulting in exposure of data that should otherwise remain restricted.
Public references, including Packet Storm entries and walkthrough sites, document the issue and provide proof-of-concept details but contain no official vendor advisory or patch information. The EPSS score has remained flat at 0.2339 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-49853
Vulnerability details
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to view sensitive information via DisplayParallelLogData.aspx.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.