The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data.

An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.

noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 34 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 9 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 24 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 2 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 7 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46).