cbcvebase.
CVE-2021-30119
published 2021-07-09

CVE-2021-30119: Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page…

PriorityP181medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
59.63%
99.0th percentile
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=alert(document.cookie)` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`

Affected

1 ranges
VendorProductVersion rangeFixed in
kaseyavsa< 9.5.79.5.7

Detection & IOCsextracted from sources · hover to see the quote

url/HelpDeskTab/rcResults.asp?result=alert(document.cookie)
url/done.asp?FileName=";alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078
path/HelpDeskTab/rcResults.asp
path/done.asp
  • Monitor HTTP requests to /HelpDeskTab/rcResults.asp for script injection payloads in the 'result' query parameter
  • Monitor HTTP requests to /done.asp for script injection payloads in the 'FileName' query parameter
  • CVE-2021-30119 was exploited by REvil ransomware group in July 2021 as part of a supply-chain attack on managed service providers, alongside CVE-2021-30116 and CVE-2021-30120; treat exploitation as indicative of broader REvil intrusion activity
  • ·Exploitation requires authentication; the XSS is reflected and authenticated, limiting unauthenticated attack surface but still relevant in post-auth compromise chains (e.g., session hijacking via document.cookie)

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.