|
Description
|
|
Vulnerability Lab has reported multiple vulnerabilities in Dell KACE K1000 System Management Appliance, which can be exploited by malicious users to conduct script insertion and SQL injection attacks.
1) Input pass via the "FARRAY[IP]", "FARRAY[MAC]", "FARRAY[OS_NAME]", "FARRAY[SERVICE_PACK]", and "FARRAY[NOTES]" POST parameters to adminui/machine_edit.php (when "save" is set to "Save") and via the "ACTION_SELECTION" POST parameter to adminui/computer_inventory.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
Successful exploitation of this vulnerability requires permissions to add items to the Inventory.
2) Input passed via the "ID" and "TYPE_ID" parameters to adminui/history_log.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Inventory/Computers role.
3) Input passed via the "ID" and "TYPE_ID" parameters to adminui/service.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Inventory/Service role.
4) Input passed via the "ID" and "TYPE_ID" parameters to adminui/software.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Inventory/Software role.
5) Input passed via the "ID" and "TYPE_ID" parameters to adminui/settings_network_scan.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Inventory/IP Scan role.
6) Input passed via the "ID" and "TYPE_ID" parameters to adminui/asset.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Asset/Assets role.
7) Input passed via the "ID" and "TYPE_ID" parameters to adminui/asset_type.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Asset/Asset Types role.
8) Input passed via the "ID" and "TYPE_ID" parameters to adminui/metering.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Asset/Metering role.
9) Input passed via the "ID" and "TYPE_ID" parameters to adminui/mi.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Distribution/Managed Installations role.
10) Input passed via the "ID" and "TYPE_ID" parameters to adminui/replshare.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Distribution/Replication role.
11) Input passed via the "ID" and "TYPE_ID" parameters to adminui/kbot.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the Scripting/Scripts role.
The vulnerabilities are reported in version 5.4.70402. Other versions may also be affected.
|
