Vulnerability Note VU#193529

Dell KACE K2000 Appliance contains multiple reflected cross-site scripting vulnerabilities

Original Release date: 08 Nov 2011 | Last revised: 08 Nov 2011

Overview

The administrative web interface for the Dell KACE K2000 System Deployment Appliance contains multiple cross-site scripting vulnerabilities.

Description

The Dell KACE K2000 Deployment Appliance is an integrated systems provisioning product for large-scale operating systems deployment. Several components that support the administrative web interface supplied with the system are vulnerable to reflected (i.e., non-persistent) script injection.

A malicious link supplied by the attacker (e.g., in email or another web page) can cause the vulnerable web server to reflect injected code back to the user's browser, where it is executed in the context of the affected site. The vulnerable components require the victim user to be authenticated to the affected system in order for the attacker's script to be executed.

Impact

A remote attacker may be able to access the cookies, session tokens, or other sensitive information of a user authenticated to the affected system.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Dell Computer Corporation, Inc.Affected08 Jun 201104 Nov 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Chad Dougherty.

Other Information

  • CVE IDs: Unknown
  • Date Public: 03 Nov 2011
  • Date First Published: 08 Nov 2011
  • Date Last Updated: 08 Nov 2011
  • Severity Metric: 0.75
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.