CVE-2021-30121

(Semi-)Authenticated local file inclusion in Kaseya VSA < v9.5.6

CVE	CVE-2021-30121
Title	(Semi-)Authenticated local file inclusion in Kaseya VSA < v9.5.6
Case	DIVD-2021-00011
Credits	Discovered by Wietse Boonstra of DIVD () Additional research by Frank Breedijk of DIVD ()
CVSS
References	https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ ( x_refsource_CONFIRM ) https://csirt.divd.nl/DIVD-2021-00011 ( x_refsource_CONFIRM ) https://csirt.divd.nl/CVE-2021-30121 ( x_refsource_CONFIRM )
Problem type(s)	n/a
Date published
Last modified	04 Apr 2022 06:25 CEST

Description

Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp A valid sessionId is required but can be easily obtained via CVE-2021-30118

Solution(s)

Upgrade to a version above 9.5.6

JSON version.

DIVD CSIRT

CVE-2021-30121

(Semi-)Authenticated local file inclusion in Kaseya VSA < v9.5.6

Description

Solution(s)