Vulnerabilities > CVE-2021-30121 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Kaseya VSA

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

kaseya

CWE-829

NVD

Published: 2021-07-09

Updated: 2022-04-29

Summary

Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118

Vulnerable Configurations

Part	Description	Count
Application	Kaseya Kaseya VSA -	1

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
https://csirt.divd.nl/CVE-2021-30121
https://csirt.divd.nl/DIVD-2021-00011