cvedb.io
CVE-2018-11141
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2018-05-31T18:29:00.683 · Last modified 2026-06-17T01:35:19.890

Summary

The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. Files can be at any location where the 'www' user has write permissions.

Affected products

quest — kace_system_management_appliance

Does this affect you?

Add your gear to cvedb and we'll alert you only when quest ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.