Vulnerability CVE-2018-11138


Published: 2018-05-31

Description:
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

See advisories in our WLB2 database:
Topic
Author
Date
High
Quest KACE Systems Management Command Injection
Brendan Coles
27.06.2018
Med.
Quest KACE Systems Management Command Injection
Metasploit
02.07.2018

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Quest -> Kace system management appliance 

 References:
https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities
https://www.exploit-db.com/exploits/44950/

Copyright 2024, cxsecurity.com

 

Back to Top