Vulnerabilities > Kaseya > VSA > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-07-09 CVE-2021-30119 Cross-site Scripting vulnerability in Kaseya VSA 9.5.6
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`
network
low complexity
kaseya CWE-79
5.4
2021-07-09 CVE-2021-30121 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Kaseya VSA
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
network
low complexity
kaseya CWE-829
6.5
2019-10-11 CVE-2019-14510 Incorrect Default Permissions vulnerability in Kaseya VSA
An issue was discovered in Kaseya VSA RMM through 9.5.0.22.
local
low complexity
kaseya CWE-276
6.7