search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Dell KACE K2000 Appliance contains multiple reflected cross-site scripting vulnerabilities

Vulnerability Note VU#193529

Original Release Date: 2011-11-08 | Last Revised: 2011-11-08


The administrative web interface for the Dell KACE K2000 System Deployment Appliance contains multiple cross-site scripting vulnerabilities.


The Dell KACE K2000 Deployment Appliance is an integrated systems provisioning product for large-scale operating systems deployment. Several components that support the administrative web interface supplied with the system are vulnerable to reflected (i.e., non-persistent) script injection.

A malicious link supplied by the attacker (e.g., in email or another web page) can cause the vulnerable web server to reflect injected code back to the user's browser, where it is executed in the context of the affected site. The vulnerable components require the victim user to be authenticated to the affected system in order for the attacker's script to be executed.


A remote attacker may be able to access the cookies, session tokens, or other sensitive information of a user authenticated to the affected system.


We are currently unaware of a practical solution to this problem.

Vendor Information


Dell Computer Corporation, Inc. Affected

Notified:  June 08, 2011 Updated: November 04, 2011

Statement Date:   November 04, 2011



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector



Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Chad Dougherty.

Other Information

CVE IDs: None
Severity Metric: 0.75
Date Public: 2011-11-03
Date First Published: 2011-11-08
Date Last Updated: 2011-11-08 20:02 UTC
Document Revision: 15

Sponsored by CISA.