CVE-2018-11141

Name of the Vulnerable Software and Affected Versions Quest KACE System Management Virtual Appliance version 8.0.318

Description The issue concerns the /adminui/advisory.php script, where the IMAGES JSON and attachments to remove[] parameters can be exploited for Directory Traversal attacks. This allows an attacker to write and delete files, respectively, in any location where the www user has write permissions.

Recommendations For Quest KACE System Management Virtual Appliance version 8.0.318, consider restricting access to the /adminui/advisory.php script until a patch is available. As a temporary workaround, restrict the write permissions of the www user to minimize the risk of exploitation. Avoid using the IMAGES JSON and attachments to remove[] parameters in the affected script until the issue is resolved.