8.8
CVE-2015-6589
- EPSS 13.58%
- Veröffentlicht 13.02.2020 21:15:11
- Zuletzt bearbeitet 21.11.2024 02:35:16
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginDirectory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Kaseya ≫ Virtual System Administrator Version >= 7.0.0.0 < 7.0.0.33
Kaseya ≫ Virtual System Administrator Version >= 8.0.0.0 < 8.0.0.23
Kaseya ≫ Virtual System Administrator Version >= 9.0.0.0 < 9.0.0.19
Kaseya ≫ Virtual System Administrator Version >= 9.1.0.0 < 9.1.0.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 13.58% | 0.96 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
http://packetstormsecurity.com/files/133782/Kaseya-Virtual-System-Administrator-Code-Execution-Privilege-Escalation.html
http://www.zerodayinitiative.com/advisories/ZDI-15-450
https://www.exploit-db.com/exploits/38351/
https://www.securityfocus.com/bid/76838