Vulnerabilities > CVE-2018-5406 - Unspecified vulnerability in Quest Kace Systems Management Appliance Firmware 9.0

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
quest
exploit available
NVD
Published: 2019-06-03
Updated: 2020-09-18

Summary

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings.

Vulnerable Configurations

Part Description Count
OS
Quest
1
Hardware
Quest
1

Exploit-Db

idEDB-ID:46956
last seen2019-06-03
modified2019-06-03
published2019-06-03
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46956
titleKACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/153150/kacesma-sqlxss.txt
idPACKETSTORM:153150
last seen2019-06-05
published2019-06-03
reporterSlidingWindow
sourcehttps://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html
titleDell KACE System Management Appliance (SMA) XSS / SQL Injection

References