CVE-2018-11139: OS Command Injection
First published: Thu May 31 2018(Updated: )
The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via the POST method.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Quest KACE Systems Management Appliance | =8.0.318 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-11139?
CVE-2018-11139 is considered to have a high severity due to its potential for arbitrary command execution.
How do I fix CVE-2018-11139?
To fix CVE-2018-11139, ensure that the affected Quest KACE System Management Appliance is updated to a patched version that sanitizes user inputs.
Who is affected by CVE-2018-11139?
Any authenticated user of the Quest KACE System Management Appliance version 8.0.318 is potentially affected by CVE-2018-11139.
What types of attacks can be performed using CVE-2018-11139?
CVE-2018-11139 allows attackers to perform command injection attacks by exploiting the unsanitized input in the '/common/ajax_email_connection_test.php' script.
Is CVE-2018-11139 a localized vulnerability?
CVE-2018-11139 is not localized and can be exploited by any authenticated user irrespective of their geographical location.
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/quest
- canonical/quest kace systems management appliance
- version/quest kace systems management appliance/8.0.318