Computer Security
[EN] no-pyccku

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:12685
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:REQUESTTRACKER : request-tracker 3.8
 RTFM : rtfm 2.4
CVE:CVE-2012-4884 (Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG client.)
 CVE-2012-4735 (** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581. Reason: This candidate is a duplicate of CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, and CVE-2012-6581. Notes: All CVE users should reference one or more of CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, and CVE-2012-6581 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.)
 CVE-2012-4734 (Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warning protection mechanism and cause victims to "modify arbitrary state" via unknown vectors related to a crafted link.)
 CVE-2012-4732 (Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the authentication of users for requests that toggle ticket bookmarks.)
 CVE-2012-4731 (FAQ manager for Request Tracker (RTFM) before 2.4.5 does not properly check user rights, which allows remote authenticated users to create arbitrary articles in arbitrary classes via unknown vectors.)
 CVE-2012-4730 (Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users with ModifySelf or AdminUser privileges to inject arbitrary email headers and conduct phishing attacks or obtain sensitive information via unknown vectors.)
Original documentdocumentMichal Blaszczak, PIAF H.M.S - SQL Injection (30.10.2012)
 documentDEBIAN, [SECURITY] [DSA 2567-1] request-tracker3.8 security update (30.10.2012)
 documentDEBIAN, [SECURITY] [DSA 2568-1] rtfm security update (30.10.2012)
 documentMichal Blaszczak, Exploit - EasyITSP by Lemens Telephone Systems 2.0.2 (30.10.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod