Vulnerability-Lookup

CVE-2019-11604 (GCVE-0-2019-11604)

Vulnerability from cvelistv5 – Published: 2019-05-24 16:04 – Updated: 2024-08-04 22:55

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.rcesecurity.com/	x_refsource_MISC
	http://packetstormsecurity.com/files/153053/Quest…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2019/May/40	mailing-listx_refsource_FULLDISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:55:41.050Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.rcesecurity.com/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
          },
          {
            "name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/May/40"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-24T18:06:05",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rcesecurity.com/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
        },
        {
          "name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/May/40"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-11604",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.rcesecurity.com/",
              "refsource": "MISC",
              "url": "https://www.rcesecurity.com/"
            },
            {
              "name": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
            },
            {
              "name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/May/40"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-11604",
    "datePublished": "2019-05-24T16:04:52",
    "dateReserved": "2019-04-30T00:00:00",
    "dateUpdated": "2024-08-04T22:55:41.050Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"9.1\", \"matchCriteriaId\": \"D28B3436-41DB-4D57-81CE-657FCFE944E9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 un problema en Quest KACE Systems Management Appliance anterior de la versi\\u00f3n 9.1. El script en /service/kbot_service_notsoap.php es vulnerable a reflejos no autenticados XSS cuando la aplicaci\\u00f3n web procesa la entrada suministrada por el usuario al par\\u00e1metro METHOD GET. Dado que la aplicaci\\u00f3n no valida y sanea apropiadamente este par\\u00e1metro, es posible colocar un c\\u00f3digo script arbitrario en el contexto de la misma p\\u00e1gina.\"}]",
      "id": "CVE-2019-11604",
      "lastModified": "2024-11-21T04:21:26.060",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-05-24T17:29:02.633",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/May/40\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.rcesecurity.com/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/May/40\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.rcesecurity.com/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-11604\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-05-24T17:29:02.633\",\"lastModified\":\"2024-11-21T04:21:26.060\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 un problema en Quest KACE Systems Management Appliance anterior de la versi\u00f3n 9.1. El script en /service/kbot_service_notsoap.php es vulnerable a reflejos no autenticados XSS cuando la aplicaci\u00f3n web procesa la entrada suministrada por el usuario al par\u00e1metro METHOD GET. Dado que la aplicaci\u00f3n no valida y sanea apropiadamente este par\u00e1metro, es posible colocar un c\u00f3digo script arbitrario en el contexto de la misma p\u00e1gina.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.1\",\"matchCriteriaId\":\"D28B3436-41DB-4D57-81CE-657FCFE944E9\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/May/40\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.rcesecurity.com/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/May/40\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.rcesecurity.com/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2019-11604

Vulnerability from fkie_nvd - Published: 2019-05-24 17:29 - Updated: 2024-11-21 04:21

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2019/May/40	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	https://www.rcesecurity.com/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2019/May/40	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.rcesecurity.com/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	quest	kace_systems_management_appliance	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D28B3436-41DB-4D57-81CE-657FCFE944E9",
              "versionEndExcluding": "9.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un problema en Quest KACE Systems Management Appliance anterior de la versi\u00f3n 9.1. El script en /service/kbot_service_notsoap.php es vulnerable a reflejos no autenticados XSS cuando la aplicaci\u00f3n web procesa la entrada suministrada por el usuario al par\u00e1metro METHOD GET. Dado que la aplicaci\u00f3n no valida y sanea apropiadamente este par\u00e1metro, es posible colocar un c\u00f3digo script arbitrario en el contexto de la misma p\u00e1gina."
    }
  ],
  "id": "CVE-2019-11604",
  "lastModified": "2024-11-21T04:21:26.060",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-05-24T17:29:02.633",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/May/40"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.rcesecurity.com/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/May/40"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.rcesecurity.com/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-7MW5-6RMV-P5MM

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:47

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-11604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-24T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.",
  "id": "GHSA-7mw5-6rmv-p5mm",
  "modified": "2024-04-04T00:47:34Z",
  "published": "2022-05-24T16:46:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11604"
    },
    {
      "type": "WEB",
      "url": "https://www.rcesecurity.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/May/40"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

VAR-201905-1144

Vulnerability from variot - Updated: 2023-12-18 14:05

An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201905-1144",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "kace systems management appliance",
        "scope": "lt",
        "trust": 1.8,
        "vendor": "quest",
        "version": "9.1"
      },
      {
        "model": "software kace systems management appliance",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "quest",
        "version": "\u003c=9.0"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Julien Ahrens",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2019-11604",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2019-11604",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2019-25506",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 6.1,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2019-11604",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-11604",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-25506",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201905-976",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-11604",
        "trust": 3.0
      },
      {
        "db": "PACKETSTORM",
        "id": "153053",
        "trust": 3.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "id": "VAR-201905-1144",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      }
    ],
    "trust": 1.225
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      }
    ]
  },
  "last_update_date": "2023-12-18T14:05:09.135000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "KACE Systems Management Appliance",
        "trust": 0.8,
        "url": "https://www.quest.com/jp-ja/products/kace-systems-management-appliance/"
      },
      {
        "title": "Patch for QuestSoftwareKACESystemsManagementAppliance Cross-Site Scripting Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/172815"
      },
      {
        "title": "Quest Software KACE Systems Management Appliance Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=92928"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.6,
        "url": "http://packetstormsecurity.com/files/153053/quest-kace-systems-management-appliance-9.0-cross-site-scripting.html"
      },
      {
        "trust": 2.2,
        "url": "http://seclists.org/fulldisclosure/2019/may/40"
      },
      {
        "trust": 2.2,
        "url": "https://www.rcesecurity.com/"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11604"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11604"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-08-02T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "date": "2019-06-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "date": "2019-05-24T17:29:02.633000",
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "date": "2019-05-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-08-02T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "date": "2019-06-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-004947"
      },
      {
        "date": "2019-05-29T23:54:03.683000",
        "db": "NVD",
        "id": "CVE-2019-11604"
      },
      {
        "date": "2019-05-30T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Quest Software KACE Systems Management Appliance Cross-Site Scripting Vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-25506"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-976"
      }
    ],
    "trust": 0.6
  }
}

GSD-2019-11604

Vulnerability from gsd - Updated: 2023-12-13 01:24

Details

Aliases

CVE-2019-11604

Aliases

CVE-2019-11604

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-11604",
    "description": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.",
    "id": "GSD-2019-11604",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2019-11604"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-11604"
      ],
      "details": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.",
      "id": "GSD-2019-11604",
      "modified": "2023-12-13T01:24:02.412442Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-11604",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.rcesecurity.com/",
            "refsource": "MISC",
            "url": "https://www.rcesecurity.com/"
          },
          {
            "name": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
          },
          {
            "name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2019/May/40"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-11604"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.rcesecurity.com/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.rcesecurity.com/"
            },
            {
              "name": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html"
            },
            {
              "name": "20190524 [CVE-2019-11604] Quest KACE Systems Management Appliance \u003c= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/May/40"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-05-29T23:54Z",
      "publishedDate": "2019-05-24T17:29Z"
    }
  }
}

CNVD-2019-25506

Vulnerability from cnvd - Published: 2019-08-02

Title

Quest Software KACE Systems Management Appliance跨站脚本漏洞

Description

Quest Software KACE Systems Management Appliance是美国Quest Software公司的一款系统管理设备。该产品支持IT资产管理、服务器管理与监控、软件许可管理和补丁管理等功能。 Quest Software KACE Systems Management Appliance 9.0及之前版本中存在跨站脚本漏洞，攻击者可利用该漏洞执行客户端代码。

Severity

中

Patch Name

Quest Software KACE Systems Management Appliance跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.quest.com/

Reference

https://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/May/40 https://www.rcesecurity.com/

Impacted products

Name
Quest Software KACE Systems Management Appliance <=9.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-11604",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11604"
    }
  },
  "description": "Quest Software KACE Systems Management Appliance\u662f\u7f8e\u56fdQuest Software\u516c\u53f8\u7684\u4e00\u6b3e\u7cfb\u7edf\u7ba1\u7406\u8bbe\u5907\u3002\u8be5\u4ea7\u54c1\u652f\u6301IT\u8d44\u4ea7\u7ba1\u7406\u3001\u670d\u52a1\u5668\u7ba1\u7406\u4e0e\u76d1\u63a7\u3001\u8f6f\u4ef6\u8bb8\u53ef\u7ba1\u7406\u548c\u8865\u4e01\u7ba1\u7406\u7b49\u529f\u80fd\u3002\n\nQuest Software KACE Systems Management Appliance 9.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "discovererName": "Julien Ahrens",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.quest.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-25506",
  "openTime": "2019-08-02",
  "patchDescription": "Quest Software KACE Systems Management Appliance\u662f\u7f8e\u56fdQuest Software\u516c\u53f8\u7684\u4e00\u6b3e\u7cfb\u7edf\u7ba1\u7406\u8bbe\u5907\u3002\u8be5\u4ea7\u54c1\u652f\u6301IT\u8d44\u4ea7\u7ba1\u7406\u3001\u670d\u52a1\u5668\u7ba1\u7406\u4e0e\u76d1\u63a7\u3001\u8f6f\u4ef6\u8bb8\u53ef\u7ba1\u7406\u548c\u8865\u4e01\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nQuest Software KACE Systems Management Appliance 9.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Quest Software KACE Systems Management Appliance\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Quest Software KACE Systems Management Appliance \u003c=9.0"
  },
  "referenceLink": "https://packetstormsecurity.com/files/153053/Quest-KACE-Systems-Management-Appliance-9.0-Cross-Site-Scripting.html\r\nhttp://seclists.org/fulldisclosure/2019/May/40\r\nhttps://www.rcesecurity.com/",
  "serverity": "\u4e2d",
  "submitTime": "2019-05-23",
  "title": "Quest Software KACE Systems Management Appliance\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-11604 (GCVE-0-2019-11604)

FKIE_CVE-2019-11604

GHSA-7MW5-6RMV-P5MM

VAR-201905-1144

GSD-2019-11604

CNVD-2019-25506

Tags

Sightings

Nomenclature