Remote Code Execution Vulnerability in Quest KACE System Management Appliance 8.0.318

Remote Code Execution Vulnerability in Quest KACE System Management Appliance 8.0.318

CVE-2018-11142 · LOW Severity

AV:L/AC:L/AU:N/C:N/I:N/A:P

The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization.

Learn more about our Network Penetration Testing.