VuXML ID | Description |
81e2b308-4a6c-11e4-b711-6805ca0b3d42 | rt42 -- vulnerabilities related to shellshock
Best Practical reports:
RT 4.2.0 and above may be vulnerable to arbitrary
execution of code by way of CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 --
collectively known as "Shellshock." This vulnerability
requires a privileged user with access to an RT instance
running with SMIME integration enabled; it applies to both
mod_perl and fastcgi deployments. If you have already
taken upgrades to bash to resolve "Shellshock," you are
protected from this vulnerability in RT, and there is no
need to apply this patch. This vulnerability has been
assigned CVE-2014-7227.
Discovery 2014-10-02 Entry 2014-10-02 rt42
ge 4.2.0 lt 4.2.8
http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html
CVE-2014-7227
|
7a92e958-5207-11e7-8d7c-6805ca0b3d42 | rt and dependent modules -- multiple security vulnerabilities
BestPractical reports:
Please reference CVE/URL list for details
Discovery 2017-06-15 Entry 2017-06-15 rt42
ge 4.2.0 lt 4.2.13_1
rt44
ge 4.4.0 lt 4.4.1_1
p5-RT-Authen-ExternalAuth
ge 0.9 lt 0.27
http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html
CVE-2015-7686
CVE-2016-6127
CVE-2017-5361
CVE-2017-5943
CVE-2017-5944
|
416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42 | rt -- XSS via jQuery
BestPractical reports:
The version of jQuery used in RT 4.2 and 4.4 has a
Cross-site Scripting (XSS) vulnerability when using
cross-domain Ajax requests. This vulnerability is assigned
CVE-2015-9251. RT
does not use this jQuery feature so it is not directly
vulnerable. jQuery version 1.12 no longer receives official
updates, however a fix was posted with recommendations for
applications to patch locally, so RT will follow this
recommendation and ship with a patched version.
Discovery 2019-03-05 Entry 2019-03-06 rt42
ge 4.2.0 lt 4.2.16
rt44
ge 4.4.0 lt 4.4.4
https://docs.bestpractical.com/release-notes/rt/4.4.4
https://docs.bestpractical.com/release-notes/rt/4.2.16
CVE-2015-9251
|
83b38a2c-413e-11e5-bfcf-6805ca0b3d42 | RT -- two XSS vulnerabilities
Best Practical reports:
RT 4.0.0 and above are vulnerable to a cross-site
scripting (XSS) attack via the user and group rights
management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin
Kopec at Data Reliance Shared Service Center.
RT 4.2.0 and above are vulnerable to a cross-site
scripting (XSS) attack via the cryptography interface.
This vulnerability could allow an attacker with a
carefully-crafted key to inject JavaScript into RT's user
interface. Installations which use neither GnuPG nor
S/MIME are unaffected.
Discovery 2015-08-12 Entry 2015-08-12 Modified 2015-08-18 rt42
ge 4.2.0 lt 4.2.12
rt40
ge 4.0.0 lt 4.0.24
CVE-2015-5475
CVE-2015-6506
http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html
|
d08f6002-c588-11e4-8495-6805ca0b3d42 | rt -- Remote DoS, Information disclosure and Session Hijackingvulnerabilities
Best Practical reports:
RT 3.0.0 and above, if running on Perl 5.14.0 or higher,
are vulnerable to a remote denial-of-service via the email
gateway; any installation which accepts mail from untrusted
sources is vulnerable, regardless of the permissions
configuration inside RT. This denial-of-service may
encompass both CPU and disk usage, depending on RT's logging
configuration. This vulnerability is assigned
CVE-2014-9472.
RT 3.8.8 and above are vulnerable to an information
disclosure attack which may reveal RSS feeds URLs, and thus
ticket data; this vulnerability is assigned
CVE-2015-1165. RSS feed URLs can also be leveraged to
perform session hijacking, allowing a user with the URL to
log in as the user that created the feed; this vulnerability
is assigned CVE-2015-1464.
Discovery 2015-02-26 Entry 2015-03-08 rt42
ge 4.2.0 lt 4.2.10
rt40
ge 4.0.0 lt 4.0.23
http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html
CVE-2014-9472
CVE-2015-1165
CVE-2015-1464
|