CVE-2018-11140 Information

Description

The ‘reportID’ parameter received by the ‘/common/run_report.php’ script in the Quest KACE System Management Appliance 8.0.318 is not sanitized leading to SQL injection (in particular an error-based type).

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8