CVE-2021-31862: 
SysAid Server vulnerability analysis and mitigation

SysAid 20.4.74 was discovered to contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to execute arbitrary web scripts via the stamp parameter in KeepAlive.jsp. The vulnerability was discovered on April 28, 2021, and was publicly disclosed on October 29, 2021 (GitHub POC).

The vulnerability is a reflected XSS issue that can be exploited through the KeepAlive.jsp endpoint. The stamp parameter in the URL is not properly sanitized, allowing injection of malicious JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the malicious URL. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

Users should upgrade to a version newer than 20.4.74. The vendor was contacted multiple times regarding this vulnerability - initially on April 28, 2021, and again on May 28, 2021, when no response was received to the initial contact (GitHub POC).