CVE-2018-11136 Information

Description

The ‘orgID’ parameter received by the ‘/common/download_agent_installer.php’ script in the Quest KACE System Management Appliance 8.0.318 is not sanitized leading to SQL injection (in particular a blind time-based type).

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8