The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications.
CVE-2018-5404: The Quest Kace System Management (K1000) Appliance allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. (CWE-89)
Apply an update
Thanks to Kapil Khot for reporting this vulnerability.
This document was written by Laurie Tyzenhaus.