Skip to main content

Kace System Management Appliance

11 CVEs product

Monthly

CVE-2018-11142 MEDIUM POC This Month

The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Kace System Management Appliance
NVD
CVSS 3.0
5.5
EPSS
0.4%
CVE-2018-11141 CRITICAL POC Act Now

The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Kace System Management Appliance
NVD
CVSS 3.0
9.8
EPSS
2.0%
CVE-2018-11140 CRITICAL POC Act Now

The 'reportID' parameter received by the '/common/run_report.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Kace System Management Appliance
NVD
CVSS 3.0
9.8
EPSS
1.4%
CVE-2018-11139 HIGH POC THREAT This Week

The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Kace System Management Appliance
NVD
CVSS 3.0
8.8
EPSS
42.9%
CVE-2018-11138 CRITICAL POC KEV THREAT Emergency

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Kace System Management Appliance
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
91.9%
CVE-2018-11137 MEDIUM POC This Month

The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Kace System Management Appliance
NVD
CVSS 3.0
6.5
EPSS
6.5%
CVE-2018-11136 CRITICAL POC Act Now

The 'orgID' parameter received by the '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Kace System Management Appliance
NVD
CVSS 3.0
9.8
EPSS
1.4%
CVE-2018-11135 HIGH POC This Week

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Prototype Pollution PHP Kace System Management Appliance
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2018-11134 HIGH POC This Week

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Kace System Management Appliance
NVD
CVSS 3.0
8.8
EPSS
3.0%
CVE-2018-11133 MEDIUM POC This Month

The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Kace System Management Appliance
NVD
CVSS 3.0
6.1
EPSS
7.3%
CVE-2018-11132 HIGH POC THREAT This Week

In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Kace System Management Appliance
NVD
CVSS 3.0
8.8
EPSS
18.3%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Kace System Management Appliance
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Kace System Management Appliance
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The 'reportID' parameter received by the '/common/run_report.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Kace System Management Appliance
NVD
EPSS 43% CVSS 8.8
HIGH POC THREAT This Week

The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Kace System Management Appliance
NVD
EPSS 92% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Kace System Management Appliance
NVD Exploit-DB
EPSS 6% CVSS 6.5
MEDIUM POC This Month

The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Kace System Management Appliance
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The 'orgID' parameter received by the '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Kace System Management Appliance
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Prototype Pollution PHP +1
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Kace System Management Appliance
NVD
EPSS 7% CVSS 6.1
MEDIUM POC This Month

The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Kace System Management Appliance
NVD
EPSS 18% CVSS 8.8
HIGH POC THREAT This Week

In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Kace System Management Appliance
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy