{"vuid":"VU#813382","idnumber":"813382","name":"Dell KACE K1000 management appliance contains a cross-site scripting vulnerability","keywords":["dell","kace","k1000","xss","cross-site scripting","cwe-79"],"overview":"Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79)","clean_desc":"Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. The \"LABEL_ID\" parameter in the \"adminui/user_list.php\" page is vulnerable. Proof-of-Concept: hxxp://ip_KACE/adminui/user_list.php?SEARCH_SELECTION=&LABEL_ID=aaas\"><script>alert(\"XSS\");</script>&&PAGE=2","impact":"A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.","resolution":"Dell has provided this response to the vulnerability. Also, please consider the following workaround.","workarounds":"Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the interface using stolen credentials from a blocked network location.","sysaffected":"","thanks":"Thanks to  William Costa for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL120154","http://www.kace.com/products/systems-management-appliance","http://cwe.mitre.org/data/definitions/79.html"],"cveids":["CVE-2014-0330"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-12-03T13:21:05Z","publicdate":"2014-02-03T00:00:00Z","datefirstpublished":"2014-02-04T15:59:21Z","dateupdated":"2014-02-11T20:43:59Z","revision":26,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"1","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.3","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","cvss_temporalscore":"3.5","cvss_environmentalscore":"3.4691232954","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}