CVE-2019-11604

Name of the Vulnerable Software and Affected Versions Quest KACE Systems Management Appliance versions prior to 9.1

Description The issue concerns an unauthenticated reflected Cross-Site Scripting (XSS) vulnerability. It occurs when user-supplied input to the METHOD parameter in the /service/kbot service notsoap.php script is processed by the web application without proper validation and sanitization, allowing arbitrary script code to be placed into the context of the same page.

Recommendations For Quest KACE Systems Management Appliance versions prior to 9.1, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /service/kbot service notsoap.php script to minimize the risk of exploitation. Avoid using the METHOD parameter in the affected script until the issue is resolved.