19 results (0.004 seconds)

CVSS: 4.3EPSS: 0%CPEs: 49EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in the topic administration page in the Extension::MobileUI extension before 1.02 for Best Practical Solutions RT 3.8.x and in Best Practical Solutions RT before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en la página de administración de temas en la extensión Extension::MobileUI anterior a v1.02 para (Best Practical Solutions RT) v3.8.x y en (Best Practical Solutions RT) anterior a v4.0.6. • http://lists.bestpractical.com/pipermail/rt-announce/2012-July/000208.html http://secunia.com/advisories/50010 http://www.securityfocus.com/bid/54684 https://exchange.xforce.ibmcloud.com/vulnerabilities/77211 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 3%CPEs: 170EXPL: 0

Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093. Best Practical Solutions RT 3.8.x anteriores a 3.8.12 y 4.x anteriores a 4.0.6 permite a atacantes remotos ejecutar código arbitrario y escalar privilegios a través de vectores de ataque sin especificar. Una vulnerabilidad distinta a la CVE-2011-4458 y CVE-2011-5093. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 3.5EPSS: 0%CPEs: 170EXPL: 0

Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not properly disable groups, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a group membership. Best Practical Solutions RT 3.x anteriores a 3.8.12 y 4.x anteriores a 4.0.6 no deshabilitan apropiadamente los grupos, lo que permite a usuarios autenticados remotos evitar las restricciones de acceso previstas en determinadas circunstancias utilizando una pertenencia a grupo. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://secunia.com/advisories/49259 http://www.securityfocus.com/bid/53660 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 170EXPL: 0

The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009. RT v3.x anterior a v3.8.12 y v4.x anteriores a v4.0.6 no actualiza el algoritmo "password-hash" para desactivar las cuentas de usuario, lo que facilita a atacantes dependiendo del contexto para determinar contraseñas en texto claro, y posiblemente usar esas contraseñas antes de que las cuentas estén restablecidas, mediante un ataque de fuerza bruta sobre la base de datos. NOTE: Esta vulnerabilidad es debida a una solución incompleta de CVE-2011-0009. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://secunia.com/advisories/49259 http://www.securityfocus.com/bid/53660 • CWE-255: Credentials Management Errors •

CVSS: 6.5EPSS: 0%CPEs: 187EXPL: 0

SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to execute arbitrary SQL commands by leveraging access to a privileged account. Vulnerabilidad de inyección SQL en Best Practical Solutions RT 2.x y 3.x anteriores a 3.8.12 y 4.x anteriores 4.0.6. Permite a usuarios remotos ejecutar comandos SQL de su elección utilizando el acceso a una cuenta privilegiada. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://osvdb.org/82136 http://secunia.com/advisories/49259 http://www.securityfocus.com/bid/53660 https://exchange.xforce.ibmcloud.com/vulnerabilities/75824 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •