cbcvebase.
CVE-2018-11139
published 2018-05-31

CVE-2018-11139: The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be…

PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
42.92%
98.6th percentile
The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via the POST method.

Affected

1 ranges
VendorProductVersion rangeFixed in
questkace_system_management_appliance

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.