The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications.
CVE-2018-5404: The Quest Kace System Management (K1000) Appliance allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. (CWE-89)
Apply an update
Quest Kace Affected
Notified: October 04, 2018 Updated: June 03, 2019
Statement Date: October 24, 2018
Upgrade to version 9.1.317.
Thanks to Kapil Khot for reporting this vulnerability.
This document was written by Laurie Tyzenhaus.
|CVE IDs:||CVE-2018-5404, CVE-2018-5405, CVE-2018-5406|
|Date First Published:||2019-06-01|
|Date Last Updated:||2019-06-03 15:39 UTC|