Vulnerability Note VU#919604
Kaseya Virtual System Administrator contains multiple vulnerabilities
Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities.
CWE-22: Improper Limitation of Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-2862
Kaseya VSA is an IT management platform with a help desk ticketing system. An authenticated attacker can traverse directories and download arbitrary files by submitting a specially crafted HTTP request to the server hosting the VSA software.
A remote, authenticated attacker can download arbitrary files. A remote, unauthenticated attacker may be able to redirect users to arbitrary web sites.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Kaseya, Inc.||Unknown||27 Apr 2015||27 Apr 2015|
CVSS Metrics (Learn More)
Thanks to Pedro Ribeiro (firstname.lastname@example.org) of Agile Information Security for reporting these vulnerabilities.
This document was written by Joel Land.
- CVE IDs: CVE-2015-2862 CVE-2015-2863
- Date Public: 13 Jul 2015
- Date First Published: 13 Jul 2015
- Date Last Updated: 13 Jul 2015
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.