Quest KACE Systems Management Appliance up to 9.0 Web Application kbot_service_notsoap.php GET Parameter cross site scripting
| CVSS Meta Temp Score | Current Exploit Price (≈) |
|---|---|
| 4.1 | $0-$5k |
A vulnerability, which was classified as problematic, has been found in Quest KACE Systems Management Appliance up to 9.0. This issue affects some functionality of the file /service/kbot_service_notsoap.php of the component Web Application. The manipulation as part of a GET Parameter leads to a cross site scripting vulnerability (Reflected). Using CWE to declare the problem leads to CWE-80. Impacted is integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
The weakness was released 05/24/2019 as mailinglist post (Full-Disclosure). It is possible to read the advisory at seclists.org. The identification of this vulnerability is CVE-2019-11604 since 04/30/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit.
Upgrading to version 9.1 eliminates this vulnerability.
Vendor
Name
VulDB Meta Base Score: 4.3
VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: ?
VulDB Reliability: ?
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| ? | ? | ? | ? | ? | ? |
| ? | ? | ? | ? | ? | ? |
| ? | ? | ? | ? | ? | ? |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: ?
VulDB Temp Score: ?
VulDB Reliability: ?
Class: Cross site scripting / Reflected (CWE-80)
Local: No
Remote: Yes
Availability: ?
Status: Not defined
Current Price Estimation: ?
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Price Prediction: ?
Threat Intelligence
Threat: ?
Adversaries: ?
Geopolitics: ?
Economy: ?
Predictions: ?
Remediation: ?Recommended: Upgrade
Status: ?
0-Day Time: ?
Upgrade: KACE Systems Management Appliance 9.1
04/30/2019 CVE assigned
05/24/2019 Advisory disclosed
05/25/2019 VulDB entry created
05/25/2019 VulDB last updateVendor: quest.com
Advisory: seclists.org
CVE: CVE-2019-11604 (?)
Created: 05/25/2019 11:05 AM
Complete: ?
Comments
See the underground prices here!
https://vuldb.com/?id.135551
Comments are closed.
No comments yet. Please log in to comment.