CVSS: 6.8EPSS: 0%CPEs: 196EXPL: 0CVE-2011-2085
https://notcve.org/view.php?id=CVE-2011-2085
Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Best Practical Solutions RT anteriores a 3.8.12 y 4.x anteriores a 4.0.6. Permiten a usuarios remotos secuestrar (hijack) la autenticación de usuarios arbitrarios. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://secunia.com/advisories/49259 http://www.securityfocus.com/bid/53660 https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 79EXPL: 0CVE-2011-1686
https://notcve.org/view.php?id=CVE-2011-1686
Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data. Múltiples vulnerabilidades de inyección SQL en Best Practical Solutions RT v2.0.0 hasta v3.6.10, v3.8.0 hasta v3.8.9, y v4.0.0rc hasta 4.0.0rc7 permiten a usuarios remotos autenticados ejecutar comandos SQL a través de vectores no especificados, como se demostró mediante la lectura de datos. • http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000189.html http://secunia.com/advisories/44189 http://www.debian.org/security/2011/dsa-2220 http://www.securityfocus.com/bid/47383 http://www.vupen.com/english/advisories/2011/1071 https://bugzilla.red • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.6EPSS: 0%CPEs: 25EXPL: 0CVE-2011-1685
https://notcve.org/view.php?id=CVE-2011-1685
Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack. Best Practical Solutions RT v2.0.0 hasta v3.6.10, v3.8.0 hasta v3.8.9, y v4.0.0rc hasta 4.0.0rc7 cuando el campo CustomFieldValuesSources (también conocido como campo personalizado externo) está activada, permite a usuarios remotos autenticados, ejecutar código arbitrario a través de vectores no especificados, como lo demuestra un ataque falsificación de petición en sitios cruzados (CSRF) • http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html http://secunia.com/advisories/44189 http://www.debian.org/security/2011/dsa-2220 http://www.securityfocus.com/bid/47383 http://www.vupen.com/english/advisories/2011/1071 https://bugzilla.redhat.com/show_bug.cgi?id=696795 https://exchange.xforce.ibmcloud.com/vulner • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 79EXPL: 0CVE-2011-1689
https://notcve.org/view.php?id=CVE-2011-1689
Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Best Practical Solutions RT v2.0.0 hasta v3.6.10, v3.8.0 hasta v3.8.9, y v4.0.0rc hasta 4.0.0rc7, permite a atacantes remotos inyectar script de su elección o HTML a través desconocidos. • http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000189.html http://secunia.com/advisories/44189 http://www.debian.org/security/2011/dsa-2220 http://www.securityfocus.com/bid/47383 http://www.vupen.com/english/advisories/2011/1071 https://bugzilla.red • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 61EXPL: 0CVE-2011-1687
https://notcve.org/view.php?id=CVE-2011-1687
Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords. Best Practical Solutions RT v2.0.0 hasta v3.6.10, v3.8.0 hasta v3.8.9, y v4.0.0rc hasta 4.0.0rc7 permite a usuarios remotos autenticados, obtener información confidencial mediante el uso de la interfaz de búsqueda, como lo demuestra la recuperación de contraseñas codificadas. • http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000189.html http://secunia.com/advisories/44189 http://www.debian.org/security/2011/dsa-2220 http://www.securityfocus.com/bid/47383 http://www.vupen.com/english/advisories/2011/1071 https://bugzilla.red • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •