[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-2220-1 request-tracker3.6, request-tracker3.8 -- several

ID: oval:org.secpod.oval:def:600543Date: (C)2011-07-05   (M)2022-10-10
Class: PATCHFamily: unix




Several vulnerabilities were in Request Tracker, an issue tracking system. CVE-2011-1685 If the external custom field feature is enabled, Request Tracker allows authenticated users to execute arbitrary code with the permissions of the web server, possible triggered by a cross-site request forgery attack. CVE-2011-1686 Multiple SQL injection attacks allow authenticated users to obtain data from the database in an unauthorized way. CVE-2011-1687 An information leak allows an authenticated privileged user to obtain sensitive information, such as encrypted passwords, via the search interface. CVE-2011-1688 When running under certain web servers , Request Tracker is vulnerable to a directory traversal attack, allowing attackers to read any files accessible to the web server. Request Tracker instances running under Apache or Nginx are not affected. CVE-2011-1689 Request Tracker contains multiple cross-site scripting vulnerabilities. CVE-2011-1690 Request Tracker enables attackers to redirect authentication credentials supplied by legitimate users to third-party servers.

Platform:
Debian 5.0
Debian 6.0
Product:
request-tracker3.6
request-tracker3.8
Reference:
DSA-2220-1
CVE-2011-1685
CVE-2011-1686
CVE-2011-1687
CVE-2011-1688
CVE-2011-1689
CVE-2011-1690
CVE    6
CVE-2011-1689
CVE-2011-1688
CVE-2011-1687
CVE-2011-1690
...
CPE    4
cpe:/o:debian:debian_linux:5.0
cpe:/a:bestpractical:request-tracker3.6
cpe:/o:debian:debian_linux:6.0
cpe:/a:bestpractical:request-tracker3.8
...

© SecPod Technologies