CVE-2014-1671 - Vulnerability Details - OpenCVE

Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Kace K1000 Systems Management Appliance Kace K1000 Systems Management Appliance Software Kace K1000 Systems Management Virtual Appliance Kace K1100s Systems Management Appliance Kace K1200s Systems Management Appliance

Configuration 1 [-]

OR	cpe:2.3:a:dell:kace_k1000_systems_management_appliance_software:5.4.76847:::::::*
	cpe:2.3:a:dell:kace_k1000_systems_management_virtual_appliance:-:::::::*
	cpe:2.3:h:dell:kace_k1000_systems_management_appliance:-:::::::*
	cpe:2.3:h:dell:kace_k1100s_systems_management_appliance:-:::::::*
	cpe:2.3:h:dell:kace_k1200s_systems_management_appliance:-:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/56396
http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-%28DS-2014-001%29
http://www.securityfocus.com/bid/65029
https://exchange.xforce.ibmcloud.com/vulnerabilities/90592

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-26T01:00:00

Updated: 2024-08-06T09:50:10.891Z

Reserved: 2014-01-25T00:00:00

Link: CVE-2014-1671

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-01-26T01:55:20.657

Modified: 2025-04-11T00:51:21.963

Link: CVE-2014-1671

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "56396", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56396"}, {"name": "kace-multiple-sql-injection(90592)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90592"}, {"tags": ["x_refsource_MISC"], "url": "http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-%28DS-2014-001%29"}, {"name": "65029", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65029"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1671", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "56396", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56396"}, {"name": "kace-multiple-sql-injection(90592)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90592"}, {"name": "http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-(DS-2014-001)", "refsource": "MISC", "url": "http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-(DS-2014-001)"}, {"name": "65029", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65029"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:50:10.891Z"}, "title": "CVE Program Container", "references": [{"name": "56396", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/56396"}, {"name": "kace-multiple-sql-injection(90592)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90592"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-%28DS-2014-001%29"}, {"name": "65029", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65029"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1671", "datePublished": "2014-01-26T01:00:00", "dateReserved": "2014-01-25T00:00:00", "dateUpdated": "2024-08-06T09:50:10.891Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:kace_k1000_systems_management_appliance_software:5.4.76847:*:*:*:*:*:*:*", "matchCriteriaId": "70751C2E-9114-4C08-8240-50F5DB6F48B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:kace_k1000_systems_management_virtual_appliance:-:*:*:*:*:*:*:*", "matchCriteriaId": "D33EE014-9F39-4E62-B63D-1B2E114D6BDB", "vulnerable": true}, {"criteria": "cpe:2.3:h:dell:kace_k1000_systems_management_appliance:-:*:*:*:*:*:*:*", "matchCriteriaId": "D035492A-E45C-443F-8714-6851826B0598", "vulnerable": true}, {"criteria": "cpe:2.3:h:dell:kace_k1100s_systems_management_appliance:-:*:*:*:*:*:*:*", "matchCriteriaId": "26271997-3C2A-4279-9F56-C41A447F557B", "vulnerable": true}, {"criteria": "cpe:2.3:h:dell:kace_k1200s_systems_management_appliance:-:*:*:*:*:*:*:*", "matchCriteriaId": "DCB9D98E-1BF0-410F-86A3-65B52D1A9A1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Dell KACE K1000 5.4.76847 y posiblemente anteriores permite a atacantes remotos o usuarios remotos autenticados ejecutar comandos SQL a trav\u00e9s del elemento MacAddress en un (1) getUploadPath o (2) en una solicitud SOAP getKBot a service/kbot_service.php; el par\u00e1metro ID para (3) userui / advisory_detail.php o (4) userui / ticket.php, y (5) el paramtero ORDER[] para userui / ticket_list.php."}], "id": "CVE-2014-1671", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-26T01:55:20.657", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/56396"}, {"source": "cve@mitre.org", "url": "http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-%28DS-2014-001%29"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/65029"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90592"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/56396"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.baesystemsdetica.com.au/Research/Advisories/Dell-KACE-K1000-SQL-Injection-%28DS-2014-001%29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/65029"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90592"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}