cbcvebase.
CVE-2018-5406
published 2019-06-03

CVE-2018-5406: The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS)…

PriorityP268high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
12.21%
95.7th percentile
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings.

Affected

2 ranges
VendorProductVersion rangeFixed in
questkace_systems_management_appliance_firmware< 9.0.2709.0.270
quest_kacek1000_appliance>= 9.0.270 < 9.0.2709.0.270

Detection & IOCsextracted from sources · hover to see the quote

otheralert("XSSinSummary");alert(document.cookie);<!--
  • Monitor for CORS misconfiguration abuse: look for cross-origin POST requests to the KACE K1000 appliance admin endpoints originating from unexpected external origins, which may indicate CSRF exploitation via CVE-2018-5406.
  • Alert on unexpected new administrator account creation or appliance settings changes on KACE K1000 appliances running versions prior to 9.0.270, as these are the sensitive actions enabled by this CORS/CSRF vulnerability.
  • Detect stored XSS exploitation attempts in the KACE SMA ticket Summary field — any script tags or JavaScript alert/cookie-exfiltration payloads submitted to ticket creation endpoints should be flagged.
  • Any user including administrator visiting a ticket page on KACE SMA may execute injected scripts; monitor for anomalous JavaScript execution or cookie access events tied to the ticket viewer page.
  • ·The CORS misconfiguration (CVE-2018-5406) was confirmed fixed in version 9.0.270; however, a separate vulnerability (#2, stored XSS) was noted as still present even in the patched 9.0.270 release.
  • ·The vendor's full patch addressing all vulnerabilities including the remaining stored XSS was not scheduled until May 2019; organizations should verify their KACE K1000/SMA version is at or above 9.0.270 AND confirm the XSS fix is included.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.