Filtered by vendor Bestpractical
Subscribe
Total
61 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2011-1690 | 1 Bestpractical | 1 Rt | 2017-08-16 | 4.3 MEDIUM | N/A |
Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to trick users into sending credentials to an arbitrary server via unspecified vectors. | |||||
CVE-2011-1685 | 1 Bestpractical | 1 Rt | 2017-08-16 | 4.6 MEDIUM | N/A |
Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack. | |||||
CVE-2011-1686 | 1 Bestpractical | 1 Rt | 2017-08-16 | 6.5 MEDIUM | N/A |
Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data. | |||||
CVE-2011-1687 | 1 Bestpractical | 1 Rt | 2017-08-16 | 4.0 MEDIUM | N/A |
Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords. | |||||
CVE-2009-4151 | 1 Bestpractical | 1 Rt | 2017-08-16 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585. | |||||
CVE-2009-3585 | 1 Bestpractical | 1 Rt | 2017-08-16 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain. | |||||
CVE-2008-3502 | 1 Bestpractical | 1 Rt | 2017-08-07 | 4.0 MEDIUM | N/A |
Unspecified vulnerability in Best Practical Solutions RT 3.0.0 through 3.6.6 allows remote authenticated users to cause a denial of service (CPU or memory consumption) via unspecified vectors related to the Devel::StackTrace module for Perl. | |||||
CVE-2017-5943 | 1 Bestpractical | 1 Request Tracker | 2017-07-07 | 6.8 MEDIUM | 8.8 HIGH |
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL. | |||||
CVE-2016-6127 | 1 Bestpractical | 1 Request Tracker | 2017-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type. | |||||
CVE-2015-5475 | 1 Bestpractical | 1 Request Tracker | 2016-12-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages. | |||||
CVE-2015-6506 | 1 Bestpractical | 1 Request Tracker | 2016-12-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key. | |||||
CVE-2014-9472 | 3 Bestpractical, Debian, Fedoraproject | 3 Request Tracker, Debian Linux, Fedora | 2016-08-23 | 7.1 HIGH | N/A |
The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email. | |||||
CVE-2015-1165 | 3 Bestpractical, Debian, Fedoraproject | 3 Request Tracker, Debian Linux, Fedora | 2015-10-27 | 5.0 MEDIUM | N/A |
RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. | |||||
CVE-2015-1464 | 2 Bestpractical, Fedoraproject | 2 Request Tracker, Fedora | 2015-10-27 | 6.4 MEDIUM | N/A |
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. | |||||
CVE-2013-3737 | 1 Bestpractical | 1 Request Tracker | 2015-02-10 | 5.0 MEDIUM | N/A |
The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors. | |||||
CVE-2014-1474 | 2 Bestpractical, Email\ | 2 Rt, \ | 2014-07-15 | 5.0 MEDIUM | N/A |
Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address. | |||||
CVE-2012-4733 | 1 Bestpractical | 1 Rt | 2013-08-27 | 6.0 MEDIUM | N/A |
Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors. | |||||
CVE-2013-3369 | 1 Bestpractical | 1 Rt | 2013-08-27 | 6.0 MEDIUM | N/A |
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors. | |||||
CVE-2013-3372 | 1 Bestpractical | 1 Rt | 2013-08-27 | 4.3 MEDIUM | N/A |
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||||
CVE-2013-5587 | 1 Bestpractical | 1 Rt | 2013-08-26 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions. |