CVE-2018-5404

moderate-risk

Published 2019-06-03

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data.

Do I need to act?

0.46% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

46956

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Kace Systems Management Appliance Firmware

Affected Vendors

Quest

References (4)

Vendor Advisory https://support.quest.com/kb/288310/cert-coordination-center-report-update

Third Party Advisory https://www.kb.cert.org/vuls/id/877837/

Vendor Advisory https://support.quest.com/kb/288310/cert-coordination-center-report-update

Third Party Advisory https://www.kb.cert.org/vuls/id/877837/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 9/34 · Low

Exposure 5/34 · Minimal