19 matches found
EUVD-2018-3183
Malware in sbrugna...
EUVD-2022-34129
Malicious code in bioql PyPI...
Authorization
The 'systemui/settingsnetwork.php' and 'systemui/settingspatching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'XForwardedFor' HTTP headers in a POST request. An anonymous user c...
Design/Logic Flaw
In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password including root. A...
CVE-2018-11134
In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password including root. A...
CVE-2018-11138
The '/common/downloadagentinstaller.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system...
Design/Logic Flaw
The '/common/downloadagentinstaller.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system...
CVE-2018-11133
The 'fmt' parameter of the '/common/runcrossreport.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting...
CVE-2018-11142
The 'systemui/settingsnetwork.php' and 'systemui/settingspatching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'XForwardedFor' HTTP headers in a POST request. An anonymous user c...
Cross site scripting
The 'fmt' parameter of the '/common/runcrossreport.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting...
Design/Logic Flaw
The script '/adminui/errordetails.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks...
Sql injection
The 'orgID' parameter received by the '/common/downloadagentinstaller.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection in particular, a blind time-based type...
CVE-2018-11133
The 'fmt' parameter of the '/common/runcrossreport.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting...
CVE-2018-11132
In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed. A command injection vulnerability exists within this message queue...
CVE-2018-11141
The 'IMAGESJSON' and 'attachmentstoremove' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. Files can be at any location where the 'www' user has write...
CVE-2018-11134
In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password including root. A...
CVE-2018-11139
The '/common/ajaxemailconnectiontest.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TESTSERVER'...
CVE-2018-11139
The CVE-2018-11139 entry describes a command injection in Quest KACE System Management Appliance 8.0.318 via the authenticated-accessible /common/ajax_email_connection_test.php endpoint. The vulnerability allows an authenticated user to inject commands through the unsanitized TEST_SERVER paramete...
CVE-2018-11138
The ‘/common/downloadagentinstaller.php’ script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...