6.5
CVE-2021-30121
- EPSS 4.83%
- Veröffentlicht 09.07.2021 14:15:07
- Zuletzt bearbeitet 21.11.2024 06:03:20
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Login(Semi-)Authenticated local file inclusion in Kaseya VSA < v9.5.6
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.83% | 0.908 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| cve@mitre.org | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
https://csirt.divd.nl/DIVD-2021-00011
https://csirt.divd.nl/CVE-2021-30121