SQL Injection Vulnerabilities in Dell KACE K1000
CVE-2014-1671

Currently unrated

Key Information:

Vendor: Dell
Status: Kace K1200s Systems Management Appliance; Kace K1100s Systems Management Appliance; Kace K1000 Systems Management Appliance Software; Kace K1000 Systems Management Appliance
Vendor: CVE Published:; 26 January 2014

Summary

Multiple SQL injection vulnerabilities exist in Dell KACE K1000 versions 5.4.76847 and potentially earlier. These vulnerabilities can be exploited by remote attackers or authenticated users to execute arbitrary SQL commands through various parameters. Specifically, the macAddress element in SOAP requests to getUploadPath and getKBot, as well as the ID parameter to userui/advisory_detail.php and userui/ticket.php, are affected. Additionally, the ORDER[] parameter in userui/ticket_list.php is also vulnerable, potentially allowing sensitive data exposure or manipulation.

References

http://secunia.com/advisories/56396

third-party-advisoryx_refsource_SECUNIA

https://exchange.xforce.ibmcloud.com/vulnerabilities/90592

vdb-entryx_refsource_XF

http://www.baesystemsdetica.com.au/Research/Advisories/De...

x_refsource_MISC

Timeline

Vulnerability published
Jan 26, 2014
Vulnerability Reserved
Jan 25, 2014