CVE-2018-5406

Name of the Vulnerable Software and Affected Versions: Quest Kace K1000 Appliance versions prior to 9.0.270

Description: The issue allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges and use the appliance to visit a malicious link that exploits this issue, causing the application to perform sensitive actions.

Recommendations: For Quest Kace K1000 Appliance versions prior to 9.0.270, update to version 9.0.270 or later to resolve the issue. As a temporary workaround, consider restricting access to the appliance's settings and administrator account management functions until a patch is applied.