Dell KACE K1000 < 5.5 Multiple SQL Injection Vulnerabilities

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

The web interface for a system management appliance is affected by
multiple SQL injection vulnerabilities.

Description :

The web interface for the version of the Dell KACE K1000 appliance on
the remote host is affected by multiple SQL injection vulnerabilities.
The following parameters and scripts are affected :

- The 'TYPE_ID' parameter of 'adminui/history_log.php'.

- The 'ID' parameter of 'adminui/service.php',
'adminui/settings_network_scan.php', 'adminui/asset.php',
'adminui/asset_type.php', 'adminui/metering.php',
'adminui/mi.php', 'adminui/replshare.php',
'adminui/kbot.php', '/userui/advisory_detail.php',
and '/userui/ticket.php'.

- The 'macAddress' and 'getKBot' parameters of

- The 'ORDER[]' parameter of '/userui/ticket_list.php'.

Note that Nessus has not tested for these issues, but instead has relied
only on the application's self-reported version number.

See also :

Solution :

Upgrade KACE to version 5.5 or later

Risk factor :

High / CVSS Base Score : 7.5
CVSS Temporal Score : 7.1
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 72392 ()

Bugtraq ID: 61382

CVE ID: CVE-2014-1671