[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97559

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2011-2082

Date: (C)2012-06-04   (M)2015-12-16
 
CVSS Score: 5.0Access Vector: NETWORK
Exploitability Subscore: 10.0Access Complexity: LOW
Impact Subscore: 2.9Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: NONE
 Availability: NONE











The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.

Reference:
SECUNIA-49259
BID-53660
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html

CPE    170
cpe:/a:bestpractical:rt:3.8.12
cpe:/a:bestpractical:rt:3.2.2:rc1
cpe:/a:bestpractical:rt:3.4.5:rc2
cpe:/a:bestpractical:rt:3.4.5:rc1
...
CWE    1
CWE-255
OVAL    4
oval:org.secpod.oval:def:103838
oval:org.secpod.oval:def:600815
oval:org.secpod.oval:def:103847
oval:org.secpod.oval:def:103842
...

© 2013 SecPod Technologies