Lennaert Oudshoorn

**Name of the Vulnerable Software and Affected Versions** Kaseya VSA versions prior to 9.5.6 **Description** The issue allows for semi-authenticated local file inclusion, where the contents of arbitrary files can be returned by the web server. A valid session ID is required but can be easily obtained. This can be exploited through a crafted request, such as visiting a specific URL with a manipulated `path` parameter, for example, `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:KaseyaWebPagesdl.asp`. **Recommendations** For versions prior to 9.5.6, update to version 9.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `js.aspx` endpoint until a patch is applied. Avoid using the `path` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kaseya VSA versions prior to 9.5.6 **Description** The issue concerns an XML External Entity (XXE) vulnerability. It allows an attacker to submit malicious XML to the system via the API endpoint "/vsaWS/KaseyaWS.asmx". When this XML is processed, external entities are insecurely resolved and fetched by the system, potentially returning sensitive information to the attacker. This can be exploited to read any file on the server that the web server process can access. Additionally, it can be used to perform HTTP(s) requests within the local network, allowing an attacker to use the Kaseya system to pivot into the local network. **Recommendations** For versions prior to 9.5.6, update to version 9.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/vsaWS/KaseyaWS.asmx" API endpoint until a patch is applied. Avoid using the `XmlRequest` parameter in the affected API endpoint until the issue is resolved.