CVE-2018-5405 — MEDIUM (5.4)

Q: How severe is CVE-2018-5405?

CVE-2018-5405 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-5405?

Check the references section above for vendor advisories and patch information. Affected products include: Quest Kace Systems Management Appliance Firmware, Quest Kace Systems Management Appliance.

Vulnerability Description

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator.

CVSS Score

5.4

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Quest	Kace Systems Management Appliance Firmware	< 9.0.270
Quest	Kace Systems Management Appliance	-

Related Weaknesses (CWE)

CWE-79

References

http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-AppliancExploitThird Party Advisory
https://support.quest.com/kb/288310/cert-coordination-center-report-updateVendor Advisory
https://www.kb.cert.org/vuls/id/877837/Third Party AdvisoryUS Government Resource
http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-AppliancExploitThird Party Advisory
https://support.quest.com/kb/288310/cert-coordination-center-report-updateVendor Advisory
https://www.kb.cert.org/vuls/id/877837/Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2018-5405?

CVE-2018-5405 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets ...

How severe is CVE-2018-5405?

CVE-2018-5405 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-5405?

Check the references section above for vendor advisories and patch information. Affected products include: Quest Kace Systems Management Appliance Firmware, Quest Kace Systems Management Appliance.