MEDIUM🇬🇧 English

CVE-2021-30119

CVSS 5.4v3.1pub. 2021-07-09upd. 2024-11-21

Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • Kaseya Vsa

    APP
    Kaseya
    < 9.5.7
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
XSS
CWE
Referencje

Powiązane podatności

CVE-2021-30117CRITICAL9.8ten sam produkt

The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injectio...

CVE-2021-30118CRITICAL9.8ten sam produkt

An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monito...

CVE-2021-30120CRITICAL9.9ten sam produkt

Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication...

CVE-2021-30201HIGH7.5ten sam produkt

The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) en...

CVE-2021-30121MEDIUM6.5ten sam produkt

Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Examp...