CVE-2021-30121

Name of the Vulnerable Software and Affected Versions Kaseya VSA versions prior to 9.5.6

Description The issue allows for semi-authenticated local file inclusion, where the contents of arbitrary files can be returned by the web server. A valid session ID is required but can be easily obtained. This can be exploited through a crafted request, such as visiting a specific URL with a manipulated path parameter, for example, https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:KaseyaWebPagesdl.asp.

Recommendations For versions prior to 9.5.6, update to version 9.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the js.aspx endpoint until a patch is applied. Avoid using the path parameter in the affected API endpoint until the issue is resolved.