Vulnerabilities > Quest > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-03 | CVE-2018-5405 | Cross-site Scripting vulnerability in Quest Kace Systems Management Appliance Firmware 9.0 The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. | 5.4 |
| 2019-06-03 | CVE-2018-5404 | SQL Injection vulnerability in Quest Kace Systems Management Appliance Firmware 9.0 The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. | 6.5 |
| 2019-05-24 | CVE-2019-11604 | Cross-site Scripting vulnerability in Quest Kace Systems Management Appliance An issue was discovered in Quest KACE Systems Management Appliance before 9.1. | 6.1 |
| 2018-05-31 | CVE-2018-11142 | Incorrect Authorization vulnerability in Quest Kace System Management Appliance 8.0.318 The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. | 5.5 |
| 2018-05-31 | CVE-2018-11137 | Path Traversal vulnerability in Quest Kace System Management Appliance 8.0.318 The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via Directory Traversal. | 6.5 |
| 2018-05-31 | CVE-2018-11133 | Cross-site Scripting vulnerability in Quest Kace System Management Appliance 8.0.318 The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. | 6.1 |