CVE-2021-30121

MEDIUM

Semi-authenticated local file inclusion - Path Traversal

Title source: llm

Description

Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118

References (3)

[Patch, Third Party Advisory] https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/

[Patch, Third Party Advisory] https://csirt.divd.nl/DIVD-2021-00011

[Exploit, Third Party Advisory] https://csirt.divd.nl/CVE-2021-30121

Scores

CVSS v3 6.5

EPSS 0.0043

EPSS Percentile 62.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-829

Status published

Products (1)

kaseya/vsa < 9.5.6

Published Jul 09, 2021

Tracked Since Feb 18, 2026