Sign-up

ID

VAR-201905-1144


CVE

CVE-2019-11604


TITLE

Quest Software KACE Systems Management Appliance Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-25506 // CNNVD: CNNVD-201905-976

DESCRIPTION

An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code

Trust: 2.16

sources: NVD: CVE-2019-11604 // JVNDB: JVNDB-2019-004947 // CNVD: CNVD-2019-25506

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-25506

AFFECTED PRODUCTS

vendor:questmodel:kace systems management appliancescope:ltversion:9.1

Trust: 1.8

vendor:questmodel:software kace systems management appliancescope:lteversion:<=9.0

Trust: 0.6

sources: CNVD: CNVD-2019-25506 // JVNDB: JVNDB-2019-004947 // NVD: CVE-2019-11604

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11604
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-11604
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-25506
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201905-976
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-11604
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-25506
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-11604
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-25506 // JVNDB: JVNDB-2019-004947 // CNNVD: CNNVD-201905-976 // NVD: CVE-2019-11604

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-004947 // NVD: CVE-2019-11604

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-976

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201905-976

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004947

PATCH
title:KACE Systems Management Applianceurl:https://www.quest.com/jp-ja/products/kace-systems-management-appliance/
Trust: 0.8
title:Patch for QuestSoftwareKACESystemsManagementAppliance Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/172815
Trust: 0.6
title:Quest Software KACE Systems Management Appliance Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92928
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-25506 // 
            
            
            
            JVNDB: JVNDB-2019-004947 // 
            
            
            
            CNNVD: CNNVD-201905-976

EXTERNAL IDS
db:NVDid:CVE-2019-11604
Trust: 3.0
db:PACKETSTORMid:153053
Trust: 3.0
db:JVNDBid:JVNDB-2019-004947
Trust: 0.8
db:CNVDid:CNVD-2019-25506
Trust: 0.6
db:CNNVDid:CNNVD-201905-976
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-25506 // 
            
            
            
            JVNDB: JVNDB-2019-004947 // 
            
            
            
            CNNVD: CNNVD-201905-976 // 
            
            
            
            NVD: CVE-2019-11604

REFERENCES
url:http://packetstormsecurity.com/files/153053/quest-kace-systems-management-appliance-9.0-cross-site-scripting.html
Trust: 3.6
url:http://seclists.org/fulldisclosure/2019/may/40
Trust: 2.2
url:https://www.rcesecurity.com/
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2019-11604
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11604
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-25506 // 
            
            
            
            JVNDB: JVNDB-2019-004947 // 
            
            
            
            CNNVD: CNNVD-201905-976 // 
            
            
            
            NVD: CVE-2019-11604

CREDITS
Julien Ahrens
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-976

SOURCES
db:CNVDid:CNVD-2019-25506
db:JVNDBid:JVNDB-2019-004947
db:CNNVDid:CNNVD-201905-976
db:NVDid:CVE-2019-11604

LAST UPDATE DATE
2024-11-23T22:21:36.932000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-25506date:2019-08-02T00:00:00
db:JVNDBid:JVNDB-2019-004947date:2019-06-12T00:00:00
db:CNNVDid:CNNVD-201905-976date:2019-05-30T00:00:00
db:NVDid:CVE-2019-11604date:2024-11-21T04:21:26.060

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-25506date:2019-08-02T00:00:00
db:JVNDBid:JVNDB-2019-004947date:2019-06-12T00:00:00
db:CNNVDid:CNNVD-201905-976date:2019-05-23T00:00:00
db:NVDid:CVE-2019-11604date:2019-05-24T17:29:02.633