Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script> The same is true for the parameter FileName of /done.asp Eaxmple request: https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078
AnalysisAI
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script> The same is true for the parameter FileName of /done.asp Eaxmple request: https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078 Affected products include: Kaseya Vsa.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Man
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. Rated high severity (CVSS 7.5), this vulnerability
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. Rated medium severity (CVSS 6.7), this vulnerability is low
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the p
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. Rated high severity (CVSS 7.5), this vulnerabili
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today