CVE-2021-30119 Overview
CVE-2021-30119 is an authenticated reflective Cross-Site Scripting (XSS) vulnerability affecting Kaseya VSA, a widely-used IT infrastructure management solution. The vulnerability exists in multiple web application endpoints where user-supplied input is insecurely reflected back to the browser without proper sanitization, enabling attackers to execute arbitrary JavaScript in the context of authenticated user sessions.
Critical Impact
Authenticated attackers can exploit this XSS vulnerability to steal session cookies, perform actions on behalf of legitimate users, or potentially escalate their access within the Kaseya VSA management console.
Affected Products
- Kaseya VSA (all versions prior to security patch)
- Kaseya VSA On-Premises installations
- Kaseya VSA SaaS deployments
Discovery Timeline
- July 7, 2021 - DIVD CSIRT publishes limited disclosure regarding Kaseya vulnerabilities
- July 9, 2021 - CVE-2021-30119 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-30119
Vulnerability Analysis
This vulnerability represents a classic reflective XSS flaw where user-controlled input is directly echoed back into the HTTP response without proper encoding or sanitization. The vulnerability affects at least two distinct endpoints within the Kaseya VSA web application: /HelpDeskTab/rcResults.asp and /done.asp.
In the first vulnerable endpoint, the result parameter value is directly inserted into the response HTML. When a malicious payload such as <script>alert(document.cookie)</script> is passed to this parameter, the browser interprets and executes the JavaScript code within the authenticated user's session context.
The second vulnerable endpoint (/done.asp) exhibits the same weakness through the FileName parameter. Attackers can craft payloads that escape the existing script context and inject arbitrary JavaScript by using quote sequences to break out of string delimiters.
Root Cause
The root cause of CVE-2021-30119 is improper input validation and output encoding (CWE-79). The application fails to sanitize or encode user-supplied parameters before reflecting them in the HTTP response. This allows attackers to inject HTML and JavaScript content that will be rendered and executed by the victim's browser.
Attack Vector
The attack is network-based and requires low privileges (authentication) along with user interaction. An attacker must craft a malicious URL containing the XSS payload and convince an authenticated Kaseya VSA user to click on it. The payload executes within the context of the victim's authenticated session, potentially allowing the attacker to:
- Steal session tokens or authentication cookies
- Perform administrative actions on behalf of the victim
- Modify displayed content to conduct phishing attacks
- Redirect users to malicious external sites
The vulnerability can be exploited through the following request patterns:
For the rcResults.asp endpoint, the result parameter accepts and reflects script tags directly. For the done.asp endpoint, the FileName parameter allows attackers to escape the existing script context by closing existing script tags and injecting new ones, as demonstrated in the vulnerability disclosure.
Detection Methods for CVE-2021-30119
Indicators of Compromise
- Unusual HTTP requests to /HelpDeskTab/rcResults.asp containing script tags or encoded JavaScript in the result parameter
- Suspicious requests to /done.asp with the FileName parameter containing HTML/JavaScript injection patterns
- Web server logs showing URL-encoded script payloads targeting these specific endpoints
- Unexpected session token exfiltration attempts to external domains from Kaseya VSA users
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block common XSS patterns in requests to Kaseya VSA endpoints
- Configure intrusion detection systems to alert on HTTP requests containing <script>, javascript:, or encoded equivalents targeting /HelpDeskTab/ or /done.asp paths
- Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation
- Enable detailed access logging for Kaseya VSA web servers and monitor for suspicious parameter patterns
Monitoring Recommendations
- Review web server access logs regularly for requests containing XSS patterns targeting the affected endpoints
- Monitor for unusual outbound network connections originating from client browsers during Kaseya VSA sessions
- Set up alerts for authentication events that follow suspicious URL patterns in referrer headers
- Implement user behavior analytics to detect anomalous administrative actions that may result from session hijacking
How to Mitigate CVE-2021-30119
Immediate Actions Required
- Apply the latest Kaseya VSA security patches immediately to address this and related vulnerabilities
- Review and audit web server logs for any evidence of exploitation attempts
- Implement WAF rules to filter malicious XSS payloads targeting the affected endpoints
- Educate users about the risks of clicking suspicious links, even when authenticated to Kaseya VSA
Patch Information
Kaseya has released security updates to address this vulnerability. Organizations should consult the DIVD Kaseya Limited Disclosure and DIVD Security Advisory #00011 for detailed patch information and guidance on securing Kaseya VSA installations.
Workarounds
- Deploy a reverse proxy or WAF in front of Kaseya VSA to filter requests containing script injection patterns
- Restrict network access to Kaseya VSA management interfaces to trusted IP ranges only
- Implement browser-side protections such as strict CSP headers where possible
- Consider temporarily disabling the affected HelpDesk functionality if not critical to operations
# Example WAF rule pattern for blocking XSS attempts (ModSecurity format)
SecRule ARGS "@rx <script.*?>.*?</script>" \
"id:100001,phase:2,deny,status:403,msg:'XSS Attack Detected on Kaseya VSA'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
