Vulnerabilities > Kaseya
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-09 | CVE-2021-30121 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Kaseya VSA Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 | 6.5 |
| 2021-07-09 | CVE-2021-30201 | XXE vulnerability in Kaseya VSA The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. | 7.5 |
| 2020-02-17 | CVE-2015-6922 | Improper Authentication vulnerability in Kaseya Virtual System Administrator Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx. | 9.8 |
| 2020-02-13 | CVE-2015-6589 | Path Traversal vulnerability in Kaseya Virtual System Administrator Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx. | 8.8 |
| 2019-10-11 | CVE-2019-14510 | Incorrect Default Permissions vulnerability in Kaseya VSA An issue was discovered in Kaseya VSA RMM through 9.5.0.22. | 6.7 |
| 2019-08-26 | CVE-2019-15506 | Missing Authentication for Critical Function vulnerability in Kaseya Virtual System Administrator An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. | 7.5 |
| 2019-02-05 | CVE-2018-20753 | Unspecified vulnerability in Kaseya Virtual System Administrator Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. | 9.8 |
| 2018-03-26 | CVE-2017-12410 | Race Condition vulnerability in Kaseya Virtual System Administrator It is possible to exploit a Time of Check & Time of Use (TOCTOU) vulnerability by winning a race condition when Kaseya Virtual System Administrator agent 9.3.0.11 and earlier tries to execute its binaries from working and/or temporary folders. | 7.4 |
| 2018-03-14 | CVE-2018-6328 | Improper Authentication vulnerability in Kaseya Unitrends Backup It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes. | 9.8 |
| 2017-08-07 | CVE-2017-12479 | Unspecified vulnerability in Kaseya Unitrends Backup It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session to elevate an existing low-privilege user to root privileges. | 8.8 |