Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKaseya Virtual System Administrator
APPKaseya7.0.0.0 – 7.0.0.33 (bez)8.0.0.0 – 8.0.0.23 (bez)9.0.0.0 – 9.0.0.19 (bez)9.1.0.0 – 9.1.0.9 (bez)
Related vulnerabilities
Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote ...
Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0...
An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical infor...
It is possible to exploit a Time of Check & Time of Use (TOCTOU) vulnerability by winning a race condition whe...
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0...