CVE-2018-11139

The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via the POST method.
Configurations

Configuration 1 (hide)

cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*

History

21 Nov 2024, 03:42

Type Values Removed Values Added
References () https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities - Exploit, Technical Description, Third Party Advisory () https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities - Exploit, Technical Description, Third Party Advisory

Information

Published : 2018-05-31 18:29

Updated : 2024-11-21 03:42


NVD link : CVE-2018-11139

Mitre link : CVE-2018-11139

CVE.ORG link : CVE-2018-11139


JSON object : View

Products Affected

quest

  • kace_system_management_appliance
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')