CVE-2021-30119

low-risk
Published 2021-07-09

Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`

Do I need to act?

-
0.18% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Vsa

Affected Vendors

Kaseya

References (6)

Patch https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
Exploit https://csirt.divd.nl/CVE-2021-30119
Patch https://csirt.divd.nl/DIVD-2021-00011
Patch https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
Exploit https://csirt.divd.nl/CVE-2021-30119
Patch https://csirt.divd.nl/DIVD-2021-00011
27
/ 100
low-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal