Vulnerabilities > Kaseya
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-06 | CVE-2021-43042 | Classic Buffer Overflow vulnerability in Kaseya Unitrends Backup An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. | 9.8 |
| 2021-12-06 | CVE-2021-43043 | Unspecified vulnerability in Kaseya Unitrends Backup An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. | 6.5 |
| 2021-12-06 | CVE-2021-43044 | Use of Hard-coded Credentials vulnerability in Kaseya Unitrends Backup An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. | 9.8 |
| 2021-09-01 | CVE-2021-40385 | Unspecified vulnerability in Kaseya Unitrends Backup Software An issue was discovered in the server software in Kaseya Unitrends Backup Software before 10.5.5-2. | 8.8 |
| 2021-09-01 | CVE-2021-40387 | Unspecified vulnerability in Kaseya Unitrends Backup Software An issue was discovered in the server software in Kaseya Unitrends Backup Software before 10.5.5-2. | 8.8 |
| 2021-07-09 | CVE-2021-30116 | Insufficiently Protected Credentials vulnerability in Kaseya VSA Agent and VSA Server Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. | 9.8 |
| 2021-07-09 | CVE-2021-30117 | SQL Injection vulnerability in Kaseya VSA The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. | 8.8 |
| 2021-07-09 | CVE-2021-30118 | Unrestricted Upload of File with Dangerous Type vulnerability in Kaseya VSA An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. | 9.8 |
| 2021-07-09 | CVE-2021-30119 | Cross-site Scripting vulnerability in Kaseya VSA 9.5.6 Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078` | 5.4 |
| 2021-07-09 | CVE-2021-30120 | Incorrect Resource Transfer Between Spheres vulnerability in Kaseya VSA Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. | 7.5 |