CVE-2014-1671

Name of the Vulnerable Software and Affected Versions Dell KACE K1000 version 5.4.76847 and possibly earlier

Description The issue allows remote attackers or remote authenticated users to execute arbitrary SQL commands. This can be achieved via several means, including the macAddress element in a getUploadPath or getKBot SOAP request to "service/kbot service.php", the ID parameter to "userui/advisory detail.php" or "userui/ticket.php", and the ORDER[] parameter to "userui/ticket list.php".

Recommendations For Dell KACE K1000 version 5.4.76847 and possibly earlier, consider restricting access to the service/kbot service.php, userui/advisory detail.php, userui/ticket.php, and userui/ticket list.php endpoints until a patch is available. As a temporary workaround, avoid using the macAddress element in getUploadPath or getKBot SOAP requests, and restrict the use of the ID parameter in userui/advisory detail.php and userui/ticket.php, as well as the ORDER[] parameter in userui/ticket list.php. At the moment, there is no information about a newer version that contains a fix for this issue.