Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Kaseya Virtual System Administrator contains multiple vulnerabilities
Name VU#919604 First vendor Publication 2015-07-13
Vendor VU-CERT Last vendor Modification 2015-07-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#919604

Kaseya Virtual System Administrator contains multiple vulnerabilities

Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015


Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities.


CWE-22: Improper Limitation of Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-2862

Kaseya VSA is an IT management platform with a help desk ticketing system. An authenticated attacker can traverse directories and download arbitrary files by submitting a specially crafted HTTP request to the server hosting the VSA software.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-2863

Kaseya VSA, versions V7.x, R8.x and R9.x, contain an open redirect vulnerability. An attacker may be able to leverage users' trust in the domain to induce them to visit a site with malicious content.

The CVSS score below refers to CVE-2015-2862.


A remote, authenticated attacker can download arbitrary files. A remote, unauthenticated attacker may be able to redirect users to arbitrary web sites.


Apply an update

The vendor has released the following patches to address these issues:

  • R9.1: install patch
  • R9.0: install patch
  • R8.0: install patch
  • V7.0: install patch

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Kaseya, Inc.Unknown27 Apr 201527 Apr 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.kaseya.com/solutions/virtual-administrator
  • http://cwe.mitre.org/data/definitions/22.html
  • http://cwe.mitre.org/data/definitions/601.html


Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-2862CVE-2015-2863
  • Date Public:13 Jul 2015
  • Date First Published:13 Jul 2015
  • Date Last Updated:13 Jul 2015
  • Document Revision:13


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/919604

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Application 67

Alert History

If you want to see full details history, please login or register.
Date Informations
2015-07-22 05:38:27
  • Multiple Updates
2015-07-21 05:28:22
  • Multiple Updates
2015-07-13 21:25:51
  • First insertion