Cross-site scripting (XSS) vulnerability in Best Practical Solutions RT 3.6.x before 3.6.9, 3.8.x before 3.8.5, and other 3.4.6 through 3.8.4 versions allows remote attackers to inject arbitrary web script or HTML via certain Custom Fields.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | * |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout.
CVSS 2.0
Severity: LOW
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | * |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 2.0.6 |
| bestpractical | rt | 2.0.11 |
| bestpractical | rt | 2.0.12 |
| bestpractical | rt | 1.0.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 2.0.15 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 1.0.2 |
| bestpractical | rt | 1.0.4 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 1.0.3 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 2.0.3 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 2.0.8.2 |
| bestpractical | rt | 2.0.0 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 2.0.5 |
| bestpractical | rt | 2.0.2 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 2.0.9 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 2.0.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 2.0.4 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 2.0.7 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 2.0.5.3 |
| bestpractical | rt | 1.0.5 |
| bestpractical | rt | 2.0.8 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 1.0.6 |
| bestpractical | rt | 2.0.13 |
| bestpractical | rt | 1.0.7 |
| bestpractical | rt | 2.0.5.1 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 1.0.0 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 2.0.14 |
| bestpractical | rt | 3.0.0 |
Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | * |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 2.0.6 |
| bestpractical | rt | 2.0.11 |
| bestpractical | rt | 2.0.12 |
| bestpractical | rt | 1.0.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 2.0.15 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 1.0.2 |
| bestpractical | rt | 1.0.4 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 1.0.3 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 2.0.3 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 2.0.8.2 |
| bestpractical | rt | 2.0.0 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 2.0.5 |
| bestpractical | rt | 2.0.2 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 2.0.9 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 2.0.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 2.0.4 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 2.0.7 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 2.0.5.3 |
| bestpractical | rt | 1.0.5 |
| bestpractical | rt | 2.0.8 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 1.0.6 |
| bestpractical | rt | 2.0.13 |
| bestpractical | rt | 1.0.7 |
| bestpractical | rt | 2.0.5.1 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 1.0.0 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 2.0.14 |
| bestpractical | rt | 3.0.0 |
Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.4 |
Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 2.0.6 |
| bestpractical | rt | 2.0.11 |
| bestpractical | rt | 2.0.12 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 2.0.15 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 2.0.3 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 2.0.8.2 |
| bestpractical | rt | 2.0.0 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 2.0.5 |
| bestpractical | rt | 2.0.2 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 2.0.9 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 2.0.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 2.0.4 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 2.0.7 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 2.0.5.3 |
| bestpractical | rt | 2.0.8 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 2.0.13 |
| bestpractical | rt | 2.0.5.1 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 2.0.14 |
| bestpractical | rt | 3.0.0 |
Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote attackers to read arbitrary files via a crafted HTTP request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 2.0.6 |
| bestpractical | rt | 2.0.11 |
| bestpractical | rt | 2.0.12 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 2.0.15 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 2.0.3 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 2.0.8.2 |
| bestpractical | rt | 2.0.0 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 2.0.5 |
| bestpractical | rt | 2.0.2 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 2.0.9 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 2.0.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 2.0.4 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 2.0.7 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 2.0.5.3 |
| bestpractical | rt | 2.0.8 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 2.0.13 |
| bestpractical | rt | 2.0.5.1 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 2.0.14 |
| bestpractical | rt | 3.0.0 |
Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to trick users into sending credentials to an arbitrary server via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.5 |
The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to read (1) hashes of former passwords and (2) ticket correspondence history by leveraging access to a privileged account.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 2.0.6 |
| bestpractical | rt | 2.0.11 |
| bestpractical | rt | 1.0.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 2.0.15 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 1.0.2 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 1.0.4 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 2.0.8.2 |
| bestpractical | rt | 2.0.0 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 2.0.5 |
| bestpractical | rt | 2.0.9 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 2.0.1 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 2.0.4 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 1.0.5 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 2.0.13 |
| bestpractical | rt | 1.0.7 |
| bestpractical | rt | 2.0.5.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 1.0.0 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | * |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 2.0.12 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 1.0.3 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 2.0.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 2.0.2 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 2.0.7 |
| bestpractical | rt | 2.0.5.3 |
| bestpractical | rt | 2.0.8 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 1.0.6 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 2.0.14 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VERPPrefix and VERPDomain options are enabled, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-5092 and CVE-2011-5093.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not properly disable groups, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a group membership.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to execute arbitrary SQL commands by leveraging access to a privileged account.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 2.0.6 |
| bestpractical | rt | 2.0.11 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 2.0.15 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 2.0.8.2 |
| bestpractical | rt | 2.0.0 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 2.0.5 |
| bestpractical | rt | 2.0.9 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 2.0.1 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 2.0.4 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 2.0.13 |
| bestpractical | rt | 2.0.5.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 2.0.12 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 2.0.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 2.0.2 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 2.0.7 |
| bestpractical | rt | 2.0.5.3 |
| bestpractical | rt | 2.0.8 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 2.0.14 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 3.0.4 |
| bestpractical | rt | 3.1.11 |
| bestpractical | rt | 3.4.5 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 3.5.4 |
| bestpractical | rt | 3.4.6 |
| bestpractical | rt | 3.2.3 |
| bestpractical | rt | 3.7.5 |
| bestpractical | rt | 3.6.0 |
| bestpractical | rt | 3.6.2 |
| bestpractical | rt | 3.0.2 |
| bestpractical | rt | 3.4.4 |
| bestpractical | rt | 3.7.1 |
| bestpractical | rt | 3.0.1 |
| bestpractical | rt | 3.1.13 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 3.4.0 |
| bestpractical | rt | 3.5.7 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.5.3 |
| bestpractical | rt | 3.0.11 |
| bestpractical | rt | 3.0.5 |
| bestpractical | rt | 3.5.2 |
| bestpractical | rt | 3.2.2 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 3.0.10 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.6.1 |
| bestpractical | rt | 3.1.5 |
| bestpractical | rt | 3.6.9 |
| bestpractical | rt | 3.6.5 |
| bestpractical | rt | 3.0.9 |
| bestpractical | rt | 3.1.15 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.4.3 |
| bestpractical | rt | 3.1.4 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 3.6.6 |
| bestpractical | rt | 3.5.6 |
| bestpractical | rt | 3.6.3 |
| bestpractical | rt | 3.1.8 |
| bestpractical | rt | 3.6.7 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.5.1 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 3.1.3 |
| bestpractical | rt | 3.6.8 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 3.6.4 |
| bestpractical | rt | 3.4.2 |
| bestpractical | rt | 3.6.10 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.7.80 |
| bestpractical | rt | 3.2.0 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.7.85 |
| bestpractical | rt | 3.0.12 |
| bestpractical | rt | 3.1.6 |
| bestpractical | rt | 3.5.5 |
| bestpractical | rt | 3.0.6 |
| bestpractical | rt | 3.0.3 |
| bestpractical | rt | 3.7.86 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.1.16 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 3.1.2 |
| bestpractical | rt | 3.0.8 |
| bestpractical | rt | 3.4.1 |
| bestpractical | rt | 3.4.7 |
| bestpractical | rt | 3.0.7 |
| bestpractical | rt | 3.0.7.1 |
| bestpractical | rt | 3.1.7 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 3.1.14 |
| bestpractical | rt | 3.1.17 |
| bestpractical | rt | 3.2.1 |
| bestpractical | rt | 3.0.0 |
| bestpractical | rt | 3.1.12 |
| bestpractical | rt | 3.1.10 |
Best Practical Solutions RT 4.x before 4.0.6 does not properly implement the DisallowExecuteCode option, which allows remote authenticated users to bypass intended access restrictions and execute arbitrary code by leveraging access to a privileged account, a different vulnerability than CVE-2011-4458 and CVE-2011-5092.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 3.8.12 |
Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote attackers to spoof messages by leveraging the lack of authentication semantics.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 3.8.7 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 3.8.3 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 3.8.4 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 3.8.12 |
Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly cause a denial of service (loss of e-mail readability), via an e-mail message to a queue's address.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 3.8.7 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 3.8.3 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 3.8.4 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 3.8.12 |
Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditing via an e-mail message to a queue's address.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 3.8.7 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 3.8.3 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 3.8.4 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 3.8.12 |
Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail messages signed by an arbitrary stored secret key, by leveraging a UI e-mail signing privilege.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 3.8.7 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 3.8.3 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 3.8.4 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 3.8.12 |
bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with predictable name.
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a direct request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an attachment.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive information (user preferences and caches) via unknown vectors, related to a "limited session re-use."
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 3.8.13 |
| bestpractical | rt | 3.8.4 |
| bestpractical | rt | 3.8.11 |
| bestpractical | rt | 3.8.2 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 3.8.8 |
| bestpractical | rt | 3.8.12 |
| bestpractical | rt | 3.8.9 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 3.8.7 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 3.8.16 |
| bestpractical | rt | 3.8.14 |
| bestpractical | rt | 3.8.1 |
| bestpractical | rt | 3.8.6 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 3.8.15 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 3.8.3 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 3.8.0 |
| bestpractical | rt | 3.8.5 |
| bestpractical | rt | 3.8.10 |
| bestpractical | rt | 4.0.7 |
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | * |
| bestpractical | request_tracker | 3.6.8 |
| bestpractical | request_tracker | 3.8.7 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 3.8.3 |
| bestpractical | request_tracker | 3.8.16 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 3.8.4 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 3.8.12 |
| bestpractical | request_tracker | 3.6.11 |
| bestpractical | request_tracker | 3.6.10 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 3.8.15 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.0.5 |
Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the name of an attached file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | rt-extension-mobileui | * |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.0.2 |
The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.0.2 |
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.0.2 |
| bestpractical | rt | 4.0.3 |
| bestpractical | rt | 4.0.5 |
| bestpractical | rt | 4.0.4 |
| bestpractical | rt | 4.0.1 |
| bestpractical | rt | 4.0.11 |
| bestpractical | rt | 4.0.0 |
| bestpractical | rt | 4.0.12 |
| bestpractical | rt | 4.0.10 |
| bestpractical | rt | 4.0.9 |
| bestpractical | rt | 4.0.8 |
| bestpractical | rt | 4.0.6 |
| bestpractical | rt | 4.0.7 |
Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | rt | 4.2.0 |
| bestpractical | rt | 4.2.2 |
| bestpractical | rt | 4.2.1 |
| email::address::list_project | email::address::list | * |
The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | 3.8.7 |
| bestpractical | request_tracker | 3.8.3 |
| bestpractical | request_tracker | 3.8.16 |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.0.16 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.0.14 |
| fedoraproject | fedora | 22 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 3.8.4 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 3.6.11 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.0.19 |
| bestpractical | request_tracker | 4.0.17 |
| bestpractical | request_tracker | 3.6.10 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.15 |
| bestpractical | request_tracker | 3.8.15 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.2.7 |
| fedoraproject | fedora | 21 |
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.0.20 |
| bestpractical | request_tracker | 3.6.8 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 3.8.17 |
| bestpractical | request_tracker | 4.2.9 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 4.0.22 |
| bestpractical | request_tracker | 4.2.2 |
| bestpractical | request_tracker | 3.8.12 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.0.18 |
| bestpractical | request_tracker | 4.0.13 |
| bestpractical | request_tracker | 4.0.21 |
| debian | debian_linux | 7.0 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.0.5 |
RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | 4.0.20 |
| bestpractical | request_tracker | 3.8.13 |
| bestpractical | request_tracker | 3.8.16 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.0.16 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 3.8.17 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.2.9 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 4.0.14 |
| fedoraproject | fedora | 22 |
| bestpractical | request_tracker | 3.8.9 |
| bestpractical | request_tracker | 3.8.10 |
| bestpractical | request_tracker | 3.8.14 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 4.0.22 |
| bestpractical | request_tracker | 4.2.2 |
| bestpractical | request_tracker | 3.8.12 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.0.18 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.0.13 |
| bestpractical | request_tracker | 3.8.8 |
| bestpractical | request_tracker | 4.0.19 |
| bestpractical | request_tracker | 4.0.21 |
| debian | debian_linux | 7.0 |
| bestpractical | request_tracker | 4.0.17 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.15 |
| bestpractical | request_tracker | 3.8.15 |
| bestpractical | request_tracker | 3.8.11 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.2.7 |
| fedoraproject | fedora | 21 |
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | * |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.2.9 |
| fedoraproject | fedora | 22 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.2.7 |
| bestpractical | request_tracker | 4.2.2 |
| fedoraproject | fedora | 21 |
Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | 4.0.20 |
| bestpractical | request_tracker | 4.2.10 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.0.16 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 4.4.1 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.2.9 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 4.0.14 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.2.13 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.24 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 4.0.22 |
| bestpractical | request_tracker | 4.2.2 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.2.11 |
| bestpractical | request_tracker | 4.2.12 |
| bestpractical | request_tracker | 4.0.18 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.0.13 |
| bestpractical | request_tracker | 4.0.19 |
| bestpractical | request_tracker | 4.0.21 |
| bestpractical | request_tracker | 4.4.0 |
| bestpractical | request_tracker | 4.0.17 |
| bestpractical | request_tracker | 4.0.23 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.15 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.2.7 |
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | 4.0.20 |
| bestpractical | request_tracker | 4.2.10 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.0.16 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 4.4.1 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.2.9 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 4.0.14 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.2.13 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.24 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 4.0.22 |
| bestpractical | request_tracker | 4.2.2 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.2.11 |
| bestpractical | request_tracker | 4.2.12 |
| bestpractical | request_tracker | 4.0.18 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.0.13 |
| bestpractical | request_tracker | 4.0.19 |
| bestpractical | request_tracker | 4.0.21 |
| bestpractical | request_tracker | 4.4.0 |
| bestpractical | request_tracker | 4.0.17 |
| bestpractical | request_tracker | 4.0.23 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.15 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.2.7 |
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | 4.0.20 |
| bestpractical | request_tracker | 4.2.10 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.0.16 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 4.4.1 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.2.9 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 4.0.14 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.2.13 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.24 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 4.0.22 |
| bestpractical | request_tracker | 4.2.2 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.2.11 |
| bestpractical | request_tracker | 4.2.12 |
| bestpractical | request_tracker | 4.0.18 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.0.13 |
| bestpractical | request_tracker | 4.0.19 |
| bestpractical | request_tracker | 4.0.21 |
| bestpractical | request_tracker | 4.4.0 |
| bestpractical | request_tracker | 4.0.17 |
| bestpractical | request_tracker | 4.0.23 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.15 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.2.7 |
The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | 4.0.7 |
| bestpractical | request_tracker | 4.2.4 |
| bestpractical | request_tracker | 4.0.20 |
| bestpractical | request_tracker | 4.2.10 |
| bestpractical | request_tracker | 4.0.3 |
| bestpractical | request_tracker | 4.2.0 |
| bestpractical | request_tracker | 4.0.16 |
| bestpractical | request_tracker | 4.2.8 |
| bestpractical | request_tracker | 4.4.1 |
| bestpractical | request_tracker | 4.0.8 |
| bestpractical | request_tracker | 4.2.9 |
| bestpractical | request_tracker | 4.0.1 |
| bestpractical | request_tracker | 4.0.14 |
| bestpractical | request_tracker | 4.0.12 |
| bestpractical | request_tracker | 4.2.3 |
| bestpractical | request_tracker | 4.2.5 |
| bestpractical | request_tracker | 4.2.13 |
| bestpractical | request_tracker | 4.0.9 |
| bestpractical | request_tracker | 4.0.24 |
| bestpractical | request_tracker | 4.0.10 |
| bestpractical | request_tracker | 4.0.2 |
| bestpractical | request_tracker | 4.0.22 |
| bestpractical | request_tracker | 4.2.2 |
| bestpractical | request_tracker | 4.0.11 |
| bestpractical | request_tracker | 4.2.11 |
| bestpractical | request_tracker | 4.2.12 |
| bestpractical | request_tracker | 4.0.18 |
| bestpractical | request_tracker | 4.2.6 |
| bestpractical | request_tracker | 4.0.13 |
| bestpractical | request_tracker | 4.0.19 |
| bestpractical | request_tracker | 4.0.21 |
| bestpractical | request_tracker | 4.4.0 |
| bestpractical | request_tracker | 4.0.17 |
| bestpractical | request_tracker | 4.0.23 |
| bestpractical | request_tracker | 4.0.6 |
| bestpractical | request_tracker | 4.0.4 |
| bestpractical | request_tracker | 4.2.1 |
| bestpractical | request_tracker | 4.0.0 |
| bestpractical | request_tracker | 4.0.15 |
| bestpractical | request_tracker | 4.0.5 |
| bestpractical | request_tracker | 4.2.7 |
The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| fedoraproject | fedora | 28 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 18.04 |
| bestpractical | request_tracker | * |
| canonical | ubuntu_linux | 16.04 |
| fedoraproject | fedora | 29 |
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-203,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| bestpractical | request_tracker | * |
| fedoraproject | fedora | 35 |
Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker_for_incident_response | * |
Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker_for_incident_response | * |
Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N | 3.9 | 2.7 |
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
| cve@mitre.org | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N | 3.9 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
| cve@mitre.org | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N | 3.9 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| bestpractical | request_tracker | * |