CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2012-2770
https://notcve.org/view.php?id=CVE-2012-2770
The Authen::ExternalAuth extension before 0.11 for Best Practical Solutions RT allows remote attackers to obtain a logged-in session via unspecified vectors related to the "URL of a RSS feed of the user." La extensión Authen::ExternalAuth anterior v0.11 para (Best Practical Solutions RT) permite a atacantes obtener una sesión con acceso a través de vectores no especificados relacionados con (URL of a RSS feed of the user). • http://lists.bestpractical.com/pipermail/rt-announce/2012-July/000208.html http://secunia.com/advisories/50060 http://www.securityfocus.com/bid/54681 https://exchange.xforce.ibmcloud.com/vulnerabilities/77213 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 49EXPL: 0CVE-2012-2769
https://notcve.org/view.php?id=CVE-2012-2769
Multiple cross-site scripting (XSS) vulnerabilities in the topic administration page in the Extension::MobileUI extension before 1.02 for Best Practical Solutions RT 3.8.x and in Best Practical Solutions RT before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en la página de administración de temas en la extensión Extension::MobileUI anterior a v1.02 para (Best Practical Solutions RT) v3.8.x y en (Best Practical Solutions RT) anterior a v4.0.6. • http://lists.bestpractical.com/pipermail/rt-announce/2012-July/000208.html http://secunia.com/advisories/50010 http://www.securityfocus.com/bid/54684 https://exchange.xforce.ibmcloud.com/vulnerabilities/77211 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0CVE-2011-5093
https://notcve.org/view.php?id=CVE-2011-5093
Best Practical Solutions RT 4.x before 4.0.6 does not properly implement the DisallowExecuteCode option, which allows remote authenticated users to bypass intended access restrictions and execute arbitrary code by leveraging access to a privileged account, a different vulnerability than CVE-2011-4458 and CVE-2011-5092. Best Practical Solutions RT 4.x anteriores a 4.0.6 no implementa apropiadamente la opción DisallowExecuteCode, lo que permite a usuarios autenticados remotos evitar las restricciones de acceso previstas y ejecutar código arbitrario utilizando el acceso a una cuenta con privilegios. Una vulnerabilidad distinta a la CVE-2011-4458 y CVE-2011-5092. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 3%CPEs: 170EXPL: 0CVE-2011-5092
https://notcve.org/view.php?id=CVE-2011-5092
Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093. Best Practical Solutions RT 3.8.x anteriores a 3.8.12 y 4.x anteriores a 4.0.6 permite a atacantes remotos ejecutar código arbitrario y escalar privilegios a través de vectores de ataque sin especificar. Una vulnerabilidad distinta a la CVE-2011-4458 y CVE-2011-5093. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 170EXPL: 0CVE-2011-2082
https://notcve.org/view.php?id=CVE-2011-2082
The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009. RT v3.x anterior a v3.8.12 y v4.x anteriores a v4.0.6 no actualiza el algoritmo "password-hash" para desactivar las cuentas de usuario, lo que facilita a atacantes dependiendo del contexto para determinar contraseñas en texto claro, y posiblemente usar esas contraseñas antes de que las cuentas estén restablecidas, mediante un ataque de fuerza bruta sobre la base de datos. NOTE: Esta vulnerabilidad es debida a una solución incompleta de CVE-2011-0009. • http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://secunia.com/advisories/49259 http://www.securityfocus.com/bid/53660 • CWE-255: Credentials Management Errors •