|CVSS SCORE||4.0, (AV:N/AC:L/Au:S/C:P/I:N/A:N)|
KACE Systems Management
The specific flaw exists within the handling of the ID parameter provided to the run_cross_report page. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose sensitive information under the context of the database.
Quest has issued an update to correct this vulnerability. More details can be found at:
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.
04/13/18 - ZDI reported the vulnerabilities to the vendor
|CREDIT||Michael Flanders of the Zero Day Initiative