CVSS: 4.0EPSS: 0%CPEs: 76EXPL: 0CVE-2011-1008
https://notcve.org/view.php?id=CVE-2011-1008
Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging. Scrips_Overlay.pm en Best Practical Solutions RT anterior a v3.8.9 no restringe el acceso adecuadamente a TicketObj en un Scrip después de un cambio en CurrentUser, lo que permite a usuarios autenticados obtener información sensible a través de vectores no especificados, como se demostró por el valor de información custom-field, relacionado con el registro SQL. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576 http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html http://openwall.com/lists/oss-security/2011/02/22/12 http://openwall.com/lists/oss-security/2011/02/22/16 http://openwall.com/lists/oss-security/2011/02/22/6 http://openwall.com/lists/oss-security/2011/02/23/22 http://openwall.com/lists/oss-security/2011/02/24/7 http://openwall.com/lists/oss-security/2011/02/24/8 http • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 76EXPL: 0CVE-2011-1007
https://notcve.org/view.php?id=CVE-2011-1007
Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout. Best Practical Solutions RT anterior a v3.8.9 no desarrolla ciertas redirecciones en el login, lo que permite a atacantes próximos físicamente obtener credenciales reenviando el formulario de registro a través del botón back en un buscador web en una máquina de trabajo no atendidad después de un cierre de sesión RT. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575 http://issues.bestpractical.com/Ticket/Display.html?id=15804 http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html http://openwall.com/lists/oss-security/2011/02/22/12 http://openwall.com/lists/oss-security/2011/02/22/16 http://openwall.com/lists/oss-security/2011/02/22/6 http://openwall.com/lists/oss-security/2011/02/23/22 http://openwall.com/lists/oss-security/2011/02/24/7 htt • CWE-255: Credentials Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 150EXPL: 0CVE-2011-0009
https://notcve.org/view.php?id=CVE-2011-0009
Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database. Best Practical Solutions RT v3.x anterior a v3.8.9rc2 y v4.x, utiliza el algoritmo MD5 para los hashes de contraseñas, lo que hace que sea más fácil para los atacantes dependientes del contexto determinar las contraseñas sin cifrar a través de un ataque de fuerza bruta sobre la base de datos. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610850 http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054740.html http://osvdb.org/70661 http://secunia.com/advisories/43438 http://www.debian.org/security/2011/dsa-2150 http://www.securityfocus.com/bid/45959 http://www.vupen.com/english/advisories/2011/0190 http://www.vupen.com/english/advisories/2011/0475 http://www.vupen.com • CWE-310: Cryptographic Issues •