CVE-2019-15506

Name of the Vulnerable Software and Affected Versions Kaseya Virtual System Administrator (VSA) versions through 9.4.0.37

Description The issue concerns a critical information disclosure problem. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the "/DATAREPORTS" directory can be accessed for reports, including results from NMAP, Patch Status, and Active Directory domain metadata, allowing an attacker to collect and parse critical information. Multiple directories are affected.

Recommendations For versions through 9.4.0.37, as a temporary workaround, consider restricting access to sensitive directories such as "/DATAREPORTS" to minimize the risk of exploitation. Avoid using the affected web application until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.