Quest Software Kace Systems Management Appliance

KACE SMA 12.1 XSS via web UI (Quest)
CVE-2022-38220 6.1 - Medium - March 01, 2023

An XSS vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.1 that may allow remote injection of arbitrary web script or HTML.

XSS

Hash Collision in Quest KACE SMA 12.0 Auth Allow Bad Login
CVE-2022-30285 9.8 - Critical - August 02, 2022

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.

Inadequate Encryption Strength

Predictable Token Gen in Quest KACE SMA <12.0 when Linking
CVE-2022-29808 7.5 - High - August 02, 2022

In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled.

Use of Insufficiently Random Values

Quest KACE SMA SQLi RCE in download_agent_installer.php (12.0)
CVE-2022-29807 9.8 - Critical - August 02, 2022

A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php.

SQL Injection

A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component
CVE-2019-12917 - November 06, 2019

A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO.

Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection
CVE-2019-12918 - November 06, 2019

Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir].

Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection
CVE-2019-13076 - November 06, 2019

Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir].

Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter)
CVE-2019-13077 - November 06, 2019

Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users.

Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection
CVE-2019-13078 - November 06, 2019

Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column.

Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection
CVE-2019-13079 - November 06, 2019

Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME.

Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file)
CVE-2019-13080 - November 06, 2019

Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator's browser.

Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality)
CVE-2019-13081 - November 06, 2019

Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user's browser.

Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x
CVE-2019-10973 7.2 - High - July 08, 2019

Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.

Improper Input Validation

An issue was discovered in Quest KACE Systems Management Appliance before 9.1
CVE-2019-11604 6.1 - Medium - May 24, 2019

An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.

XSS