CVE-2018-5406

The Quest Kace K1000 Appliance misconfigures the Cross-Origin Resource Sharing (CORS) mechanism.

EPSS 12.2%CWE-284

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings.

Affected products

Quest Kace · K1000 Appliance

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.htmlunverified exploitdbwww.exploit-db.com/exploits/46956unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.html https://support.quest.com/kb/288310/cert-coordination-center-report-update https://www.kb.cert.org/vuls/id/877837/