CVE-2011-1685

EUVD-2011-1685
Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:S/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
bestpracticalrt
3.8.0
bestpracticalrt
3.8.1
bestpracticalrt
3.8.2
bestpracticalrt
3.8.3
bestpracticalrt
3.8.4
bestpracticalrt
3.8.5
bestpracticalrt
3.8.6
bestpracticalrt
3.8.6:rc1
bestpracticalrt
3.8.7
bestpracticalrt
3.8.7:rc1
bestpracticalrt
3.8.8
bestpracticalrt
3.8.8:rc2
bestpracticalrt
3.8.8:rc3
bestpracticalrt
3.8.8:rc4
bestpracticalrt
3.8.9
bestpracticalrt
3.8.9:rc1
bestpracticalrt
3.8.9:rc2
bestpracticalrt
3.8.9:rc3
bestpracticalrt
4.0.0:rc1
bestpracticalrt
4.0.0:rc2
bestpracticalrt
4.0.0:rc3
bestpracticalrt
4.0.0:rc4
bestpracticalrt
4.0.0:rc5
bestpracticalrt
4.0.0:rc6
bestpracticalrt
4.0.0:rc7
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
request-tracker3.8
dapper
dne
hardy
dne
karmic
ignored
lucid
Fixed 3.8.7-1ubuntu2.2
released
maverick
Fixed 3.8.8-4ubuntu0.1
released
natty
Fixed 3.8.10-1
released
oneiric
not-affected
Common Weakness Enumeration
References
http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html
http://secunia.com/advisories/44189
http://www.debian.org/security/2011/dsa-2220
http://www.securityfocus.com/bid/47383
http://www.vupen.com/english/advisories/2011/1071
https://bugzilla.redhat.com/show_bug.cgi?id=696795
https://exchange.xforce.ibmcloud.com/vulnerabilities/66791
http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html
http://secunia.com/advisories/44189
http://www.debian.org/security/2011/dsa-2220
http://www.securityfocus.com/bid/47383
http://www.vupen.com/english/advisories/2011/1071
https://bugzilla.redhat.com/show_bug.cgi?id=696795
https://exchange.xforce.ibmcloud.com/vulnerabilities/66791