CyberSec.Space Logo
Back to CVE Browser

CVE-2021-44029

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1460%
EPSS Percentile26.21th
PublishedDec 22, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation.

Affected Platforms (CPE)

📦
Quest

Kace Desktop Authority

>= 10.0 and < 11.2

References & Advisories

🔗 https://support.quest.com/kace-desktop-authority/kb/336098/quest-response-to-desktop-authority-vulnerabilities-prior-to-11-2
🔗 https://support.quest.com/kace-desktop-authority/kb/336098/quest-response-to-desktop-authority-vulnerabilities-prior-to-11-2

Related Vulnerabilities

CVE-2021-440319.8

An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertim...

CVE-2021-440306.1

Quest KACE Desktop Authority before 11.2 allows XSS because it does not prevent untrusted HTML from reaching the jQuery.htmlPrefil...

CVE-2021-440285.5

XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacke...

CVE-2021-4155610.0

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to ...