Cyber Resilience

CVE-2022-47076

HighPublic PoC

Published: 28 February 2023

Published
28 February 2023
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2339 96.1th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-47076 is a high-severity an unspecified weakness vulnerability in Smartofficepayroll Smartoffice. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-47076 is an information disclosure vulnerability affecting Smart Office Web version 20.28 and earlier. The flaw resides in the DisplayParallelLogData.aspx endpoint and permits unauthenticated remote access to sensitive data, as reflected in its CVSS 7.5 rating with a network attack vector, no required privileges or user interaction, and high confidentiality impact.

An attacker can send crafted requests to the vulnerable endpoint to retrieve sensitive information through insecure direct object reference. Because the issue requires no authentication, exploitation is possible by any remote party able to reach the web application, resulting in exposure of data that should otherwise remain restricted.

Public references, including Packet Storm entries and walkthrough sites, document the issue and provide proof-of-concept details but contain no official vendor advisory or patch information. The EPSS score has remained flat at 0.2339 with no material increase since disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to view sensitive information via DisplayParallelLogData.aspx.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

smartofficepayroll
smartoffice
≤ 20.28

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References