CVSS: 10.0EPSS: 1%CPEs: 6EXPL: 0CVE-2022-35865 – BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-35865
12 Jul 2022 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. • https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It-Version-2 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-35864 – BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-35864
12 Jul 2022 — This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It! 20.21.02.109. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetPopupSubQueryDetails endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. • https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It-Version-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 0CVE-2022-24047 – BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-24047
10 Feb 2022 — This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. • https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35001 – BMC Track-It! GetData Missing Authorization Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35001
06 Jan 2022 — BMC Track-It! GetData Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetData endpoint. • https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35002 – BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-35002
06 Jan 2022 — BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of email attachments. • https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 4CVE-2016-6598 – BMC Track-It! 11.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6598
26 Jan 2018 — BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM. BMC Track-It! • https://www.exploit-db.com/exploits/43883 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 4CVE-2016-6599 – BMC Track-It! 11.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6599
26 Jan 2018 — BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service ... • https://www.exploit-db.com/exploits/43883 • CWE-255: Credentials Management Errors •
CVSS: 9.8EPSS: 13%CPEs: 1EXPL: 0CVE-2014-8270 – BMC Track-It! Web Account Credential Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-8270
09 Dec 2014 — BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset. BMC Track-It! 11.3 permite a atacantes remotos ganar privilegios y ejecutar código arbitrario mediante la ceración de una cuenta cuya nombre coincide con él de una cuenta de sistema local, posteriormente realizando una recalibración de la contraseña. This vulnerability allows remote attackers to execute arbitrary ... • http://support.numarasoftware.com/support/articles.asp?how=%20AND%20&mode=detail&kcriteria=7508&ID=7654 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2014-4873 – BMC Track-It! - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-4873
08 Oct 2014 — SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It! 11.3.0.355 allows remote authenticated users to execute arbitrary SQL commands via crafted POST data. Vulnerabilidad de inyección SQL en TrackItWeb/Grid/GetData en BMC Track-It! 11.3.0.355 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de datos POST manipulados. BMC Track-it! • https://www.exploit-db.com/exploits/34924 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2014-4874 – BMC Track-It! - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-4874
08 Oct 2014 — BMC Track-It! 11.3.0.355 allows remote authenticated users to read arbitrary files by visiting the TrackItWeb/Attachment page. BMC Track-It! 11.3.0.355 permite a usuarios remotos autenticados leer ficheros arbitrarios mediante la visita a la página TrackItWeb/Attachment. BMC Track-it! • https://www.exploit-db.com/exploits/34924 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •