Posted by Patrick Webster via Fulldisclosure on Apr 04

https://www.osisecurity.com.au/kaseya-parameter-reflected-xss-enumeration-and-bruteforce-weakness.html

Date:
04-Apr-2017

Software:
Kaseya

Affected version:
Kaseya VSA v6.5.0.0.

Vulnerability details:

1. The “forgot password” function at https://[target]/access/logon.asp
reveals whether a username is valid/exists or not, which assists with
brute force attacks. An incorrect username responds with “No record of
this user exists”,…