CVE-2018-11141

The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. Files can be at any location where the 'www' user has write permissions.
Configurations

Configuration 1 (hide)

cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*

History

21 Nov 2024, 03:42

Type Values Removed Values Added
References () https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities - Exploit, Technical Description, Third Party Advisory () https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities - Exploit, Technical Description, Third Party Advisory

Information

Published : 2018-05-31 18:29

Updated : 2024-11-21 03:42


NVD link : CVE-2018-11141

Mitre link : CVE-2018-11141

CVE.ORG link : CVE-2018-11141


JSON object : View

Products Affected

quest

  • kace_system_management_appliance
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')