CVE-2018-11136

Name of the Vulnerable Software and Affected Versions Quest KACE System Management Appliance version 8.0.318

Description The issue concerns a SQL injection vulnerability, specifically a blind time-based type, in the Quest KACE System Management Appliance. This occurs due to the lack of sanitization of the orgID parameter received by the "/common/download agent installer.php" script.

Recommendations For Quest KACE System Management Appliance version 8.0.318, consider restricting access to the "/common/download agent installer.php" script until a patch is available. As a temporary workaround, avoid using the orgID parameter in the affected script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.