Vulnerabilites related to quest - kace_systems_management_appliance
cve-2022-38220
Vulnerability from cvelistv5
Published
2023-02-28 00:00
Modified
2024-08-03 10:45
Severity ?
EPSS score ?
Summary
An XSS vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.1 that may allow remote injection of arbitrary web script or HTML.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:53.014Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.quest.com/kb/339613"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.quest.com/kb/4368602/quest-response-to-kace-sma-vulnerability-cve-2022-38220"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.1 that may allow remote injection of arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.quest.com/kb/339613"
},
{
"url": "https://support.quest.com/kb/4368602/quest-response-to-kace-sma-vulnerability-cve-2022-38220"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38220",
"datePublished": "2023-02-28T00:00:00",
"dateReserved": "2022-08-15T00:00:00",
"dateUpdated": "2024-08-03T10:45:53.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12917
Vulnerability from cvelistv5
Published
2019-11-06 14:44
Modified
2024-08-04 23:32
Severity ?
EPSS score ?
Summary
A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:55.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12917",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12917",
"datePublished": "2019-11-06T14:44:02",
"dateReserved": "2019-06-20T00:00:00",
"dateUpdated": "2024-08-04T23:32:55.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13076
Vulnerability from cvelistv5
Published
2019-11-06 14:49
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir].
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir]."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:58:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir]."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13076",
"datePublished": "2019-11-06T14:49:36",
"dateReserved": "2019-06-30T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11604
Vulnerability from cvelistv5
Published
2019-05-24 16:04
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.rcesecurity.com/ | x_refsource_MISC | |
| http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2019/May/40 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rcesecurity.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
},
{
"name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/May/40"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T18:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rcesecurity.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
},
{
"name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/May/40"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rcesecurity.com/",
"refsource": "MISC",
"url": "https://www.rcesecurity.com/"
},
{
"name": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
},
{
"name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/May/40"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11604",
"datePublished": "2019-05-24T16:04:52",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-08-04T22:55:41.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29808
Vulnerability from cvelistv5
Published
2022-08-02 21:35
Modified
2024-08-03 06:33
Severity ?
EPSS score ?
Summary
In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.quest.com/kb/338163 | x_refsource_MISC | |
| https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/338163"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-02T21:35:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/338163"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-29808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.quest.com/kb/338163",
"refsource": "MISC",
"url": "https://support.quest.com/kb/338163"
},
{
"name": "https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808",
"refsource": "MISC",
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-29808",
"datePublished": "2022-08-02T21:35:42",
"dateReserved": "2022-04-26T00:00:00",
"dateUpdated": "2024-08-03T06:33:42.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5406
Vulnerability from cvelistv5
Published
2019-06-03 18:23
Modified
2024-08-05 05:33
Severity ?
EPSS score ?
Summary
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.kb.cert.org/vuls/id/877837/ | third-party-advisory, x_refsource_CERT-VN | |
| https://support.quest.com/kb/288310/cert-coordination-center-report-update | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Quest Kace | K1000 Appliance |
Version: 9.0.270 < 9.0.270 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:44.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#877837",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "K1000 Appliance",
"vendor": "Quest Kace",
"versions": [
{
"lessThan": "9.0.270",
"status": "affected",
"version": "9.0.270",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Kapil Khot for reporting this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance\u2019s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance\u2019s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance\u0027s settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-04T22:06:03",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VU#877837",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The Quest Kace K1000 Appliance misconfigures the Cross-Origin Resource Sharing (CORS) mechanism.",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2018-5406",
"STATE": "PUBLIC",
"TITLE": "The Quest Kace K1000 Appliance misconfigures the Cross-Origin Resource Sharing (CORS) mechanism."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "K1000 Appliance",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0.270",
"version_value": "9.0.270"
}
]
}
}
]
},
"vendor_name": "Quest Kace"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Kapil Khot for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance\u2019s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance\u2019s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance\u0027s settings."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#877837",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"name": "https://support.quest.com/kb/288310/cert-coordination-center-report-update",
"refsource": "CONFIRM",
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"name": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2018-5406",
"datePublished": "2019-06-03T18:23:46",
"dateReserved": "2018-01-12T00:00:00",
"dateUpdated": "2024-08-05T05:33:44.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5405
Vulnerability from cvelistv5
Published
2019-06-03 18:23
Modified
2024-08-05 05:33
Severity ?
EPSS score ?
Summary
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.kb.cert.org/vuls/id/877837/ | third-party-advisory, x_refsource_CERT-VN | |
| https://support.quest.com/kb/288310/cert-coordination-center-report-update | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Quest Kace | K1000 Appliance |
Version: 9.0.270 < 9.0.270 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:44.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#877837",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "K1000 Appliance",
"vendor": "Quest Kace",
"versions": [
{
"lessThan": "9.0.270",
"status": "affected",
"version": "9.0.270",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Kapil Khot for reporting this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with \u0027User Console Only\u0027 rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with \u0027user console only\u0027 rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-04T22:06:03",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VU#877837",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The Quest Kace K1000 Appliance is vulnerable to JavaScript injection.",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2018-5405",
"STATE": "PUBLIC",
"TITLE": "The Quest Kace K1000 Appliance is vulnerable to JavaScript injection."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "K1000 Appliance",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0.270",
"version_value": "9.0.270"
}
]
}
}
]
},
"vendor_name": "Quest Kace"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Kapil Khot for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with \u0027User Console Only\u0027 rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with \u0027user console only\u0027 rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#877837",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"name": "https://support.quest.com/kb/288310/cert-coordination-center-report-update",
"refsource": "CONFIRM",
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"name": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2018-5405",
"datePublished": "2019-06-03T18:23:49",
"dateReserved": "2018-01-12T00:00:00",
"dateUpdated": "2024-08-05T05:33:44.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13080
Vulnerability from cvelistv5
Published
2019-11-06 14:53
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator's browser.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator\u0027s browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:53:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13080",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator\u0027s browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13080",
"datePublished": "2019-11-06T14:53:54",
"dateReserved": "2019-06-30T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13081
Vulnerability from cvelistv5
Published
2019-11-06 14:55
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user's browser.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user\u0027s browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:55:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13081",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user\u0027s browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13081",
"datePublished": "2019-11-06T14:55:00",
"dateReserved": "2019-06-30T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13077
Vulnerability from cvelistv5
Published
2019-11-06 14:50
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.066Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:50:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13077",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13077",
"datePublished": "2019-11-06T14:50:54",
"dateReserved": "2019-06-30T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-30285
Vulnerability from cvelistv5
Published
2022-08-02 21:38
Modified
2024-08-03 06:48
Severity ?
EPSS score ?
Summary
In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/kace/ | x_refsource_MISC | |
| https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:34.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/kace/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-02T21:38:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/kace/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-30285",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/kace/",
"refsource": "MISC",
"url": "https://www.quest.com/kace/"
},
{
"name": "https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285",
"refsource": "MISC",
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30285",
"datePublished": "2022-08-02T21:38:53",
"dateReserved": "2022-05-04T00:00:00",
"dateUpdated": "2024-08-03T06:48:34.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12918
Vulnerability from cvelistv5
Published
2019-11-06 14:45
Modified
2024-08-04 23:32
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir].
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:55.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir]."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:57:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir]."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12918",
"datePublished": "2019-11-06T14:45:20",
"dateReserved": "2019-06-20T00:00:00",
"dateUpdated": "2024-08-04T23:32:55.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-10973
Vulnerability from cvelistv5
Published
2019-07-08 17:25
Modified
2024-08-04 22:40
Severity ?
EPSS score ?
Summary
Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/109001 | vdb-entry, x_refsource_BID | |
| https://www.us-cert.gov/ics/advisories/icsa-19-183-02 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Quest KACE |
Version: All versions prior to version 8.0.x, 8.1.x, and 9.0.x |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:15.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "109001",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/109001"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-183-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Quest KACE",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 8.0.x, 8.1.x, and 9.0.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "IMPROPER INPUT VALIDATION CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-08T17:26:09",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "109001",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/109001"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-183-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-10973",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quest KACE",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 8.0.x, 8.1.x, and 9.0.x"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER INPUT VALIDATION CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "109001",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/109001"
},
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-183-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-183-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-10973",
"datePublished": "2019-07-08T17:25:30",
"dateReserved": "2019-04-08T00:00:00",
"dateUpdated": "2024-08-04T22:40:15.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12567
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-08-05 18:43
Severity ?
EPSS score ?
Summary
SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.quest.com/kace-systems-management-appliance/kb/231874 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:55.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/231874"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/231874"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12567",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.quest.com/kace-systems-management-appliance/kb/231874",
"refsource": "CONFIRM",
"url": "https://support.quest.com/kace-systems-management-appliance/kb/231874"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12567",
"datePublished": "2017-08-07T16:00:00",
"dateReserved": "2017-08-05T00:00:00",
"dateUpdated": "2024-08-05T18:43:55.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5404
Vulnerability from cvelistv5
Published
2019-06-03 18:23
Modified
2024-08-05 05:33
Severity ?
EPSS score ?
Summary
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.kb.cert.org/vuls/id/877837/ | third-party-advisory, x_refsource_CERT-VN | |
| https://support.quest.com/kb/288310/cert-coordination-center-report-update | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Quest Kace | K1000 Appliance |
Version: 9.0.270 < 9.0.270 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:44.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#877837",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "K1000 Appliance",
"vendor": "Quest Kace",
"versions": [
{
"lessThan": "9.0.270",
"status": "affected",
"version": "9.0.270",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Kapil Khot for reporting this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges (\u0027User Console Only\u0027 role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-03T18:23:52",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VU#877837",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The Quest Kace K1000 Appliance is vulnerable to multiple Blind SQL Injections.",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2018-5404",
"STATE": "PUBLIC",
"TITLE": "The Quest Kace K1000 Appliance is vulnerable to multiple Blind SQL Injections."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "K1000 Appliance",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0.270",
"version_value": "9.0.270"
}
]
}
}
]
},
"vendor_name": "Quest Kace"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Kapil Khot for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges (\u0027User Console Only\u0027 role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#877837",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"name": "https://support.quest.com/kb/288310/cert-coordination-center-report-update",
"refsource": "CONFIRM",
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2018-5404",
"datePublished": "2019-06-03T18:23:52",
"dateReserved": "2018-01-12T00:00:00",
"dateUpdated": "2024-08-05T05:33:44.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13078
Vulnerability from cvelistv5
Published
2019-11-06 14:52
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:52:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13078",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13078",
"datePublished": "2019-11-06T14:52:01",
"dateReserved": "2019-06-30T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29807
Vulnerability from cvelistv5
Published
2022-08-02 21:42
Modified
2024-08-03 06:33
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.quest.com/kb/338162 | x_refsource_MISC | |
| https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/338162"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-02T21:42:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/338162"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-29807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.quest.com/kb/338162",
"refsource": "MISC",
"url": "https://support.quest.com/kb/338162"
},
{
"name": "https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807",
"refsource": "MISC",
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-29807",
"datePublished": "2022-08-02T21:42:14",
"dateReserved": "2022-04-26T00:00:00",
"dateUpdated": "2024-08-03T06:33:42.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13079
Vulnerability from cvelistv5
Published
2019-11-06 14:53
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.quest.com/products/kace-systems-management-appliance/ | x_refsource_MISC | |
| https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T14:53:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13079",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.quest.com/products/kace-systems-management-appliance/",
"refsource": "MISC",
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"name": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report",
"refsource": "MISC",
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13079",
"datePublished": "2019-11-06T14:53:02",
"dateReserved": "2019-06-30T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:24
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator's browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator\u0027s browser."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, presenta una vulnerabilidad de tipo XSS (por medio de una imagen SVG y un archivo HTML) lo que permite a un usuario autenticado ejecutar JavaScript arbitrario en el navegador de un administrador."
}
],
"id": "CVE-2019-13080",
"lastModified": "2024-11-21T04:24:09.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.423",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:23
Severity ?
Summary
A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo XSS reflejado en Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317 que afecta el componente userui/software_library.php por medio del par\u00e1metro PATH_INFO."
}
],
"id": "CVE-2019-12917",
"lastModified": "2024-11-21T04:23:48.903",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.033",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-02 22:15
Modified
2024-11-21 07:02
Severity ?
Summary
In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A49F4D9F-072E-40D5-96DF-DA7209C534DC",
"versionEndExcluding": "12.1.168",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials."
},
{
"lang": "es",
"value": "En Quest KACE Systems Management Appliance (SMA) versiones hasta 12.0, es posible una colisi\u00f3n de hash durante la autenticaci\u00f3n. Esto puede permitir la autenticaci\u00f3n con credenciales no v\u00e1lidas"
}
],
"id": "CVE-2022-30285",
"lastModified": "2024-11-21T07:02:29.960",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-02T22:15:08.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.quest.com/kace/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338232/quest-response-to-kace-sma-vulnerabilities-cve-2022-30285"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.quest.com/kace/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-326"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:24
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir].
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir]."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, es vulnerable a una inyecci\u00f3n SQL. Un usuario autenticado posee la capacidad de ejecutar comandos arbitrarios contra la base de datos. El componente afectado es /userui/ticket_list.php, y los par\u00e1metros afectados son order[0][column] y order[0][dir]."
}
],
"id": "CVE-2019-13076",
"lastModified": "2024-11-21T04:24:09.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.157",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:23
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir].
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir]."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, es vulnerable a una inyecci\u00f3n SQL. El archivo afectado es software_library.php y los par\u00e1metros afectados son order[0][column] y order[0][dir]."
}
],
"id": "CVE-2019-12918",
"lastModified": "2024-11-21T04:23:49.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.097",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:24
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user's browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user\u0027s browser."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, tiene una vulnerabilidad de tipo XSS (por medio del campo title en la funcionalidad service desk ticket del archivo /common/ticket_associated_tickets.php) lo que permite a un usuario autenticado ejecutar JavaScript arbitrario en el navegador de un usuario del escritorio de servicio."
}
],
"id": "CVE-2019-13081",
"lastModified": "2024-11-21T04:24:09.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:12.097",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:24
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, tiene una vulnerabilidad de tipo XSS (por medio del par\u00e1metro SAM_TYPE del archivo sam_detail_titled.php) lo que permite a un atacante crear un enlace malicioso para atacar a usuarios autenticados."
}
],
"id": "CVE-2019-13077",
"lastModified": "2024-11-21T04:24:09.233",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.220",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-08 18:15
Modified
2024-11-21 04:20
Severity ?
Summary
Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | http://www.securityfocus.com/bid/109001 | Third Party Advisory, VDB Entry | |
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-19-183-02 | Patch, Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/109001 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-19-183-02 | Patch, Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | * | |
| quest | kace_systems_management_appliance | * | |
| quest | kace_systems_management_appliance | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FD06CBA-D647-4D74-9C2F-94A2AC68C3F7",
"versionEndIncluding": "8.0.320",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9625F56-33A8-4BCE-B0D5-7BBD587AE6DE",
"versionEndIncluding": "8.1.108",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE319FAF-E50B-4448-BF48-8524A23D353B",
"versionEndIncluding": "9.0.270",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface."
},
{
"lang": "es",
"value": "Quest KACE, todas las versiones anteriores a versi\u00f3n 8.0.x, 8.1.x y 9.0.x, permite acceso involuntario a las funciones de aprovechamiento del dispositivo de las herramientas de resoluci\u00f3n de problemas localizadas en la interfaz de usuario del administrador."
}
],
"id": "CVE-2019-10973",
"lastModified": "2024-11-21T04:20:16.497",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-08T18:15:10.947",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/109001"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Patch",
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-183-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/109001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-183-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:24
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, es vulnerable a una inyecci\u00f3n SQL. Un usuario autenticado posee la capacidad de ejecutar comandos arbitrarios contra la base de datos. El componente afectado es /adminui/history_log.php. El par\u00e1metro afectado es TYPE_NAME."
}
],
"id": "CVE-2019-13079",
"lastModified": "2024-11-21T04:24:09.523",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-24 17:29
Modified
2024-11-21 04:21
Severity ?
Summary
An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2019/May/40 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.rcesecurity.com/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2019/May/40 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.rcesecurity.com/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D28B3436-41DB-4D57-81CE-657FCFE944E9",
"versionEndExcluding": "9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un problema en Quest KACE Systems Management Appliance anterior de la versi\u00f3n 9.1. El script en /service/kbot_service_notsoap.php es vulnerable a reflejos no autenticados XSS cuando la aplicaci\u00f3n web procesa la entrada suministrada por el usuario al par\u00e1metro METHOD GET. Dado que la aplicaci\u00f3n no valida y sanea apropiadamente este par\u00e1metro, es posible colocar un c\u00f3digo script arbitrario en el contexto de la misma p\u00e1gina."
}
],
"id": "CVE-2019-11604",
"lastModified": "2024-11-21T04:21:26.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-24T17:29:02.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/May/40"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/May/40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-03 19:29
Modified
2024-11-21 04:08
Severity ?
Summary
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://support.quest.com/kb/288310/cert-coordination-center-report-update | Vendor Advisory | |
| cret@cert.org | https://www.kb.cert.org/vuls/id/877837/ | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.quest.com/kb/288310/cert-coordination-center-report-update | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/877837/ | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance_firmware | * | |
| quest | kace_systems_management_appliance | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:quest:kace_systems_management_appliance_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24B925CF-12DB-4729-8FD9-5CA8872B6679",
"versionEndExcluding": "9.0.270",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:quest:kace_systems_management_appliance:-:*:*:*:*:*:*:*",
"matchCriteriaId": "15602132-D4C9-466E-9973-CDE289F23363",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges (\u0027User Console Only\u0027 role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data."
},
{
"lang": "es",
"value": "El dispositivo Quest Kace K1000, versiones anteriores a 9.0.270, permite a un atacante remoto autenticado con los privilegios m\u00ednimos (funci\u00f3n \u0027Solo consola de usuario\u0027) explotar varias vulnerabilidades de Inyecci\u00f3n SQL ciega para recuperar informaci\u00f3n confidencial de la base de datos o copiar la base de datos completa. Un atacante remoto autenticado podr\u00eda aprovechar las inyecciones SQL ciegas para obtener datos confidenciales."
}
],
"id": "CVE-2018-5404",
"lastModified": "2024-11-21T04:08:45.120",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T19:29:01.593",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_asset_management_appliance | 6.4.120822 | |
| quest | kace_asset_management_appliance | 7.0 | |
| quest | kace_asset_management_appliance | 7.0.121306 | |
| quest | kace_asset_management_appliance | 7.1 | |
| quest | kace_asset_management_appliance | 7.1.149 | |
| quest | kace_asset_management_appliance | 7.2 | |
| quest | kace_systems_management_appliance | 6.4.120822 | |
| quest | kace_systems_management_appliance | 7.0 | |
| quest | kace_systems_management_appliance | 7.0.121306 | |
| quest | kace_systems_management_appliance | 7.1 | |
| quest | kace_systems_management_appliance | 7.1.149 | |
| quest | kace_systems_management_appliance | 7.2 | |
| quest | kace_systems_management_appliance | 7.2.101 | |
| quest | k1000_as_a_service | 7.0 | |
| quest | k1000_as_a_service | 7.0.121306 | |
| quest | k1000_as_a_service | 7.1 | |
| quest | k1000_as_a_service | 7.1.149 | |
| quest | k1000_as_a_service | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_asset_management_appliance:6.4.120822:*:*:*:*:*:*:*",
"matchCriteriaId": "8009F05B-712F-417A-BB2E-5C6273D789AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_asset_management_appliance:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA833ED-B9A7-4C7C-A58D-A266923CBE89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_asset_management_appliance:7.0.121306:*:*:*:*:*:*:*",
"matchCriteriaId": "46609881-4011-4667-9121-7CFB96F10E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_asset_management_appliance:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C270DB0-232B-4CF9-B5CC-6266A7834911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_asset_management_appliance:7.1.149:*:*:*:*:*:*:*",
"matchCriteriaId": "BD4ABD83-C646-4FA1-9518-1E2C103883DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_asset_management_appliance:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0C13A622-F7EC-47C4-9E62-452D10D251F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:6.4.120822:*:*:*:*:*:*:*",
"matchCriteriaId": "AD553EC2-0FD8-450D-9FE1-08C979D0823E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A51289-32D7-4657-B508-A69B091BDB20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:7.0.121306:*:*:*:*:*:*:*",
"matchCriteriaId": "E804AA7D-C40C-4C47-A05B-55DCCD7DF6DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AC8F0EEF-7E64-460C-9AB8-2AD8C987EB65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:7.1.149:*:*:*:*:*:*:*",
"matchCriteriaId": "68CEBEF9-6442-496D-8E64-788105C0C77E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A3974E4F-C02B-4903-9E4D-B099E3C86BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:7.2.101:*:*:*:*:*:*:*",
"matchCriteriaId": "016EC87A-4889-4E56-A15F-CACBD6DA6F81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:k1000_as_a_service:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1723889D-A814-4C2F-980E-58A136F20D9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:k1000_as_a_service:7.0.121306:*:*:*:*:*:*:*",
"matchCriteriaId": "E4E30595-7BC2-472A-9DB4-34E4C896971C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:k1000_as_a_service:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2672C38D-C094-45DF-B59D-986F9B411002",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:k1000_as_a_service:7.1.149:*:*:*:*:*:*:*",
"matchCriteriaId": "74248440-AD91-4755-A618-D04D336E24D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:k1000_as_a_service:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "746F52B2-BC6C-4840-AF21-289DE56E739E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n SQL en Quest KACE Asset Management Appliance en sus versiones 6.4.120822 a 7.2, Systems Management Appliance en sus versiones 6.4.120822 a 7.2.101, y K1000 as a Service en sus versiones 7.0 a 7.2."
}
],
"id": "CVE-2017-12567",
"lastModified": "2024-11-21T03:09:46.307",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/231874"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/231874"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-06 15:15
Modified
2024-11-21 04:24
Severity ?
Summary
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | 9.1.317 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:9.1.317:*:*:*:*:*:*:*",
"matchCriteriaId": "58A273F5-6353-4595-BCE9-DBCFBEFB5F9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column."
},
{
"lang": "es",
"value": "Quest KACE Systems Management Appliance Server Center versi\u00f3n 9.1.317, es vulnerable a una inyecci\u00f3n SQL. Un usuario autenticado posee la capacidad de ejecutar comandos arbitrarios contra la base de datos. El componente afectado es /common/user_profile.php. El par\u00e1metro afectado es sort_column."
}
],
"id": "CVE-2019-13078",
"lastModified": "2024-11-21T04:24:09.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-06T15:15:11.283",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-03 19:29
Modified
2024-11-21 04:08
Severity ?
Summary
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html | Exploit, Third Party Advisory | |
| cret@cert.org | https://support.quest.com/kb/288310/cert-coordination-center-report-update | Vendor Advisory | |
| cret@cert.org | https://www.kb.cert.org/vuls/id/877837/ | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.quest.com/kb/288310/cert-coordination-center-report-update | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/877837/ | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance_firmware | * | |
| quest | kace_systems_management_appliance | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:quest:kace_systems_management_appliance_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24B925CF-12DB-4729-8FD9-5CA8872B6679",
"versionEndExcluding": "9.0.270",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:quest:kace_systems_management_appliance:-:*:*:*:*:*:*:*",
"matchCriteriaId": "15602132-D4C9-466E-9973-CDE289F23363",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with \u0027User Console Only\u0027 rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with \u0027user console only\u0027 rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator."
},
{
"lang": "es",
"value": "El dispositivo Quest Kace K1000, versiones anteriores a 9.0.270, permite a un usuario autenticado con menos privilegios con derechos de \u0027Solo consola de usuario\u0027 para inyectar c\u00f3digo JavaScript arbitrario en la p\u00e1gina de tickets. La ejecuci\u00f3n del script podr\u00eda permitir a un usuario malintencionado del sistema robar cookies de sesi\u00f3n de otros usuarios, incluido el Administrador, y hacerse cargo de su sesi\u00f3n. Esto puede ser explotado para lanzar otros ataques. El software tampoco neutraliza o neutraliza incorrectamente la entrada controlable por el usuario antes de que se coloque en la salida que se utiliza como una p\u00e1gina web que se sirve a otros usuarios. El software no neutraliza o neutraliza incorrectamente la entrada controlable por el usuario antes de que se coloque en la salida que se utiliza como una p\u00e1gina web que se sirve a otro usuario. Un usuario autenticado con derechos de \u0027solo consola de usuario\u0027 puede inyectar JavaScript arbitrario, lo que podr\u00eda resultar en que un atacante tome el control de una sesi\u00f3n de otros, incluido un Administrador."
}
],
"id": "CVE-2018-5405",
"lastModified": "2024-11-21T04:08:45.250",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T19:29:01.657",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
},
{
"source": "cret@cert.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-02 22:15
Modified
2024-11-21 06:59
Severity ?
Summary
In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A49F4D9F-072E-40D5-96DF-DA7209C534DC",
"versionEndExcluding": "12.1.168",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled."
},
{
"lang": "es",
"value": "En Quest KACE Systems Management Appliance (SMA) versiones hasta 12.0, es producida una generaci\u00f3n de tokens predecible cuando es habilitada la vinculaci\u00f3n de dispositivos"
}
],
"id": "CVE-2022-29808",
"lastModified": "2024-11-21T06:59:43.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-02T22:15:08.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/338163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338163/quest-response-to-kace-sma-vulnerabilities-cve-2022-29808"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/338163"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-02 22:15
Modified
2024-11-21 06:59
Severity ?
Summary
A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A49F4D9F-072E-40D5-96DF-DA7209C534DC",
"versionEndExcluding": "12.1.168",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de inyecci\u00f3n SQL en Quest KACE Systems Management Appliance (SMA) versiones hasta 12.0, que puede permitir una ejecuci\u00f3n de c\u00f3digo remota por medio del archivo download_agent_installer.php"
}
],
"id": "CVE-2022-29807",
"lastModified": "2024-11-21T06:59:43.257",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-02T22:15:08.560",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/338162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kace-systems-management-appliance/kb/338162/quest-response-to-kace-sma-vulnerabilities-cve-2022-29807"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/338162"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-03 19:29
Modified
2024-11-21 04:08
Severity ?
Summary
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cret@cert.org | https://support.quest.com/kb/288310/cert-coordination-center-report-update | Vendor Advisory | |
| cret@cert.org | https://www.kb.cert.org/vuls/id/877837/ | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.quest.com/kb/288310/cert-coordination-center-report-update | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/877837/ | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance_firmware | * | |
| quest | kace_systems_management_appliance | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:quest:kace_systems_management_appliance_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24B925CF-12DB-4729-8FD9-5CA8872B6679",
"versionEndExcluding": "9.0.270",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:quest:kace_systems_management_appliance:-:*:*:*:*:*:*:*",
"matchCriteriaId": "15602132-D4C9-466E-9973-CDE289F23363",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance\u2019s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance\u2019s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance\u0027s settings."
},
{
"lang": "es",
"value": "El dispositivo Quest Kace K1000, versiones anteriores a la versi\u00f3n 9.0.270, permite a un atacante remoto explotar el mecanismo de intercambio de recursos de origen cruzado (CORS) mal configurado. Un atacante remoto no autenticado podr\u00eda aprovechar esta vulnerabilidad para realizar acciones sensibles, como agregar una nueva cuenta de administrador o cambiar la configuraci\u00f3n del dispositivo. Un usuario interno malintencionado tambi\u00e9n podr\u00eda obtener privilegios de administrador de este dispositivo y usarlo para visitar un enlace malicioso que explota esta vulnerabilidad. Esto podr\u00eda hacer que la aplicaci\u00f3n realice acciones delicadas, como agregar una nueva cuenta de administrador o cambiar la configuraci\u00f3n del dispositivo. Un atacante remoto no autenticado podr\u00eda agregar una cuenta de nivel de administrador o cambiar la configuraci\u00f3n del dispositivo."
}
],
"id": "CVE-2018-5406",
"lastModified": "2024-11-21T04:08:45.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T19:29:01.703",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
},
{
"source": "cret@cert.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/877837/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-01 00:15
Modified
2024-11-21 07:16
Severity ?
Summary
An XSS vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.1 that may allow remote injection of arbitrary web script or HTML.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quest | kace_systems_management_appliance | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CAFB774-19F3-4B16-8C3C-4300283F45C2",
"versionEndIncluding": "12.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.1 that may allow remote injection of arbitrary web script or HTML."
}
],
"id": "CVE-2022-38220",
"lastModified": "2024-11-21T07:16:04.727",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-01T00:15:10.823",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://support.quest.com/kb/339613"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/4368602/quest-response-to-kace-sma-vulnerability-cve-2022-38220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://support.quest.com/kb/339613"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.quest.com/kb/4368602/quest-response-to-kace-sma-vulnerability-cve-2022-38220"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}