A vulnerability was found in Best Practical RT up to 3.6.9 (Ticket Tracking Software) and classified as critical. Affected by this issue is an unknown code. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093.

The weakness was published 06/04/2012 (Website). The advisory is available at lists.bestpractical.com. This vulnerability is handled as CVE-2011-5092 since 06/04/2012. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1068 by the MITRE ATT&CK project.

The vulnerability scanner Nessus provides a plugin with the ID 61434 (Request Tracker 3.x < 3.8.12 / 4.x < 4.0.6 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses and running in the context r.

Upgrading to version 3.6.10 eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (61434). Similar entries are available at 60891, 60889, 60888 and 60887.

Productinfo

Type

• Ticket Tracking Software

Vendor

• Best Practical

Name

• RT

Version

• 3.6.0
• 3.6.1
• 3.6.2
• 3.6.3
• 3.6.4
• 3.6.5
• 3.6.6
• 3.6.7
• 3.6.8
• 3.6.9

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion