CVE-2021-44031

Name of the Vulnerable Software and Affected Versions: Quest KACE Desktop Authority versions prior to 11.2

Description: An issue was discovered in Quest KACE Desktop Authority that could allow pre-authentication remote code execution. The API endpoint "/dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx" contains a vulnerability. An attacker could upload a .ASP file to reside at "/images/{GUID}/{filename}".

Recommendations: For versions prior to 11.2, update to version 11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx" endpoint until a patch is available. Avoid using the filename variable in the affected API endpoint until the issue is resolved.