CVE-2018-5405

Name of the Vulnerable Software and Affected Versions: Quest Kace K1000 Appliance versions prior to 9.0.270

Description: The issue allows an authenticated user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. This could enable a malicious user to steal session cookies of other users, including Administrators, and take over their sessions. The software fails to properly neutralize user-controllable input before it is placed in output that is used as a web page served to other users, allowing for the injection of arbitrary JavaScript code. This can be exploited to launch other attacks.

Recommendations: For versions prior to 9.0.270, update to version 9.0.270 or later to resolve the issue. As a temporary workaround, consider restricting access to the tickets page for users with 'User Console Only' rights until the update is applied. Additionally, monitor user activity closely to detect and respond to potential session takeover attempts.