var-201906-1118
Vulnerability from variot
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-1118",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace systems management appliance",
"scope": "lt",
"trust": 1.8,
"vendor": "quest",
"version": "9.0.270"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "quest kace",
"version": null
},
{
"model": "software kace k1000 appliance",
"scope": "lt",
"trust": 0.6,
"vendor": "quest",
"version": "9.0.270"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:quest:kace_systems_management_appliance_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.0.270",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:quest:kace_systems_management_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5404"
}
]
},
"cve": "CVE-2018-5404",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-5404",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2019-21112",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-5404",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-5404",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2019-21112",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-043",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges (\u0027User Console Only\u0027 role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-5404",
"trust": 3.8
},
{
"db": "CERT/CC",
"id": "VU#877837",
"trust": 3.8
},
{
"db": "JVN",
"id": "JVNVU91210160",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-21112",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043",
"trust": 0.6
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"id": "VAR-201906-1118",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
}
],
"trust": 1.2666667
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
}
]
},
"last_update_date": "2023-12-18T12:28:09.252000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.quest.com/"
},
{
"title": "QuestSoftwareKaceK1000ApplianceSQL injection vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/166971"
},
{
"title": "Quest Software Kace K1000 Appliance SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=93135"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"trust": 3.0,
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5404"
},
{
"trust": 1.6,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5404"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5405"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5406"
},
{
"trust": 0.8,
"url": "https://support.quest.com/kace-systems-management-appliance/9.1/download-new-releaseshttps://support.quest.com/https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91210160/index.html"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-01T00:00:00",
"db": "CERT/CC",
"id": "VU#877837"
},
{
"date": "2019-07-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"date": "2019-06-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"date": "2019-06-03T19:29:01.593000",
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"date": "2019-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-03T00:00:00",
"db": "CERT/CC",
"id": "VU#877837"
},
{
"date": "2019-07-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"date": "2019-06-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"date": "2019-10-09T23:41:18.487000",
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"date": "2019-06-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest Software Kace K1000 Appliance SQL Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.