Vulnerabilities > Kaseya > VSA > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-09 | CVE-2021-30117 | SQL Injection vulnerability in Kaseya VSA The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. | 6.5 |
| 2021-07-09 | CVE-2021-30120 | Incorrect Resource Transfer Between Spheres vulnerability in Kaseya VSA Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. | 5.0 |
| 2021-07-09 | CVE-2021-30121 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Kaseya VSA Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 | 4.0 |
| 2021-07-09 | CVE-2021-30201 | XXE vulnerability in Kaseya VSA The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. | 5.0 |