var-201401-0429
Vulnerability from variot
Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php. (1) service/kbot_service.php To getUploadPath request (2) service/kbot_service.php To getKBot SOAP request (3) userui/advisory_detail.php of ID Parameters (4) userui/ticket.php of ID Parameters (5) userui/ticket_list.php of ORDER[] Parameters. Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. Dell KACE K1000 is a set of IT equipment management solutions in the KACE system management series of Dell (Dell). This solution provides functions such as software distribution, configuration management, patch installation, and security vulnerability remediation. The vulnerability is caused by (1) the service/kbot_service.php script does not correctly filter the 'macAddres' element in the getUploadPath and getKBot SOAP requests; (2) userui/advisory_detail The .php and userui/ticket.php scripts did not filter the 'ID' parameter correctly; (3) the userui/ticket_list.php script did not filter the 'ORDER[]' parameter correctly
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201401-0429",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace k1000 systems management appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "dell",
"version": null
},
{
"model": "kace k1100s systems management appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "dell",
"version": null
},
{
"model": "kace k1000 systems management virtual appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "dell",
"version": null
},
{
"model": "kace k1200s systems management appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "dell",
"version": null
},
{
"model": "kace k1000 systems management appliance software",
"scope": "eq",
"trust": 1.6,
"vendor": "dell",
"version": "5.4.76847"
},
{
"model": "kace k1000 systems management appliance",
"scope": null,
"trust": 0.8,
"vendor": "dell",
"version": null
},
{
"model": "kace k1000 systems management appliance software",
"scope": "lte",
"trust": 0.8,
"vendor": "dell",
"version": "5.4.76847"
},
{
"model": "kace k1100s systems management appliance",
"scope": null,
"trust": 0.8,
"vendor": "dell",
"version": null
},
{
"model": "kace k1200s systems management appliance",
"scope": null,
"trust": 0.8,
"vendor": "dell",
"version": null
},
{
"model": "kace virtual k1000 systems management appliance",
"scope": null,
"trust": 0.8,
"vendor": "dell",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:dell:kace_k1200s_systems_management_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:dell:kace_k1100s_systems_management_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dell:kace_k1000_systems_management_appliance_software:5.4.76847:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:dell:kace_k1000_systems_management_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dell:kace_k1000_systems_management_virtual_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-1671"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Rohan Stelling, Bart Borkowski, and Alex Manusu, Detica.",
"sources": [
{
"db": "BID",
"id": "65029"
}
],
"trust": 0.3
},
"cve": "CVE-2014-1671",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2014-1671",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-69610",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2014-1671",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201401-540",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-69610",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69610"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php. (1) service/kbot_service.php To getUploadPath request (2) service/kbot_service.php To getKBot SOAP request (3) userui/advisory_detail.php of ID Parameters (4) userui/ticket.php of ID Parameters (5) userui/ticket_list.php of ORDER[] Parameters. Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. \nExploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. \nDell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. Dell KACE K1000 is a set of IT equipment management solutions in the KACE system management series of Dell (Dell). This solution provides functions such as software distribution, configuration management, patch installation, and security vulnerability remediation. The vulnerability is caused by (1) the service/kbot_service.php script does not correctly filter the \u0027macAddres\u0027 element in the getUploadPath and getKBot SOAP requests; (2) userui/advisory_detail The .php and userui/ticket.php scripts did not filter the \u0027ID\u0027 parameter correctly; (3) the userui/ticket_list.php script did not filter the \u0027ORDER[]\u0027 parameter correctly",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "BID",
"id": "65029"
},
{
"db": "VULHUB",
"id": "VHN-69610"
}
],
"trust": 1.98
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-69610",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69610"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-1671",
"trust": 2.8
},
{
"db": "SECUNIA",
"id": "56396",
"trust": 1.7
},
{
"db": "BID",
"id": "65029",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201401-540",
"trust": 0.7
},
{
"db": "XF",
"id": "90592",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "39057",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-69610",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69610"
},
{
"db": "BID",
"id": "65029"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"id": "VAR-201401-0429",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-69610"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:58:03.366000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Dell KACE K1000 Systems Management Appliance",
"trust": 0.8,
"url": "https://www.kace.com/products/systems-management-appliance/tech-specs"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69610"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "NVD",
"id": "CVE-2014-1671"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://www.baesystemsdetica.com.au/research/advisories/dell-kace-k1000-sql-injection-%28ds-2014-001%29"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/56396"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/65029"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90592"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1671"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1671"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/90592"
},
{
"trust": 0.6,
"url": "http://www.baesystemsdetica.com.au/research/advisories/dell-kace-k1000-sql-injection-(ds-2014-001)"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69610"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-69610"
},
{
"db": "BID",
"id": "65029"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-01-26T00:00:00",
"db": "VULHUB",
"id": "VHN-69610"
},
{
"date": "2014-01-13T00:00:00",
"db": "BID",
"id": "65029"
},
{
"date": "2014-01-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"date": "2014-01-26T01:55:20.657000",
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"date": "2014-01-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-13T00:00:00",
"db": "VULHUB",
"id": "VHN-69610"
},
{
"date": "2014-01-28T01:03:00",
"db": "BID",
"id": "65029"
},
{
"date": "2014-01-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001260"
},
{
"date": "2023-11-07T02:19:02.530000",
"db": "NVD",
"id": "CVE-2014-1671"
},
{
"date": "2014-01-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dell KACE K1000 In SQL Injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001260"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201401-540"
}
],
"trust": 0.6
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.