var-201905-1144
Vulnerability from variot
An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201905-1144",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace systems management appliance",
"scope": "lt",
"trust": 1.8,
"vendor": "quest",
"version": "9.1"
},
{
"model": "software kace systems management appliance",
"scope": "lte",
"trust": 0.6,
"vendor": "quest",
"version": "\u003c=9.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:quest:kace_systems_management_appliance",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Julien Ahrens",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 0.6
},
"cve": "CVE-2019-11604",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2019-11604",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2019-25506",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2019-11604",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-11604",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-11604",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-25506",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201905-976",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNVD",
"id": "CNVD-2019-25506"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-11604",
"trust": 3.0
},
{
"db": "PACKETSTORM",
"id": "153053",
"trust": 3.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-25506",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"id": "VAR-201905-1144",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
}
],
"trust": 1.225
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
}
]
},
"last_update_date": "2024-11-23T22:21:36.932000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/jp-ja/products/kace-systems-management-appliance/"
},
{
"title": "Patch for QuestSoftwareKACESystemsManagementAppliance Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/172815"
},
{
"title": "Quest Software KACE Systems Management Appliance Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92928"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.6,
"url": "http://packetstormsecurity.com/files/153053/quest-kace-systems-management-appliance-9.0-cross-site-scripting.html"
},
{
"trust": 2.2,
"url": "http://seclists.org/fulldisclosure/2019/may/40"
},
{
"trust": 2.2,
"url": "https://www.rcesecurity.com/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-11604"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11604"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"date": "2019-06-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"date": "2019-05-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-976"
},
{
"date": "2019-05-24T17:29:02.633000",
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"date": "2019-06-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"date": "2019-05-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-976"
},
{
"date": "2024-11-21T04:21:26.060000",
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest Software KACE Systems Management Appliance Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.