Vulnerability Description
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaseya | Vsa | < 9.5.6 |
Related Weaknesses (CWE)
References
- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/PatchThird Party Advisory
- https://csirt.divd.nl/CVE-2021-30121ExploitThird Party Advisory
- https://csirt.divd.nl/DIVD-2021-00011PatchThird Party Advisory
- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/PatchThird Party Advisory
- https://csirt.divd.nl/CVE-2021-30121ExploitThird Party Advisory
- https://csirt.divd.nl/DIVD-2021-00011PatchThird Party Advisory
FAQ
What is CVE-2021-30121?
CVE-2021-30121 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A...
How severe is CVE-2021-30121?
CVE-2021-30121 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-30121?
Check the references section above for vendor advisories and patch information. Affected products include: Kaseya Vsa.