CVE-2018-11139

Name of the Vulnerable Software and Affected Versions Quest KACE System Management Appliance version 8.0.318

Description The issue concerns the '/common/ajax email connection test.php' script, which is accessible to any authenticated user. This script is susceptible to command injection due to unsanitized user input, specifically the 'TEST SERVER' variable sent via the POST method. This allows for the execution of arbitrary commands on the system.

Recommendations For Quest KACE System Management Appliance version 8.0.318, consider restricting access to the '/common/ajax email connection test.php' script until a patch is available. As a temporary workaround, avoid using the TEST SERVER variable in the affected script to minimize the risk of exploitation.