Vulnerability Details : CVE-2011-1685
Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.
Vulnerability category: Cross-site request forgery (CSRF)Execute code
Exploit prediction scoring system (EPSS) score for CVE-2011-1685
Probability of exploitation activity in the next 30 days: 0.43%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-1685
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.6
|
MEDIUM | AV:N/AC:H/Au:S/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
CWE ids for CVE-2011-1685
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-1685
-
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000188.html
[Rt-announce] RT 3.8.10 Released - Security ReleasePatch
-
http://www.securityfocus.com/bid/47383
RT Versions Prior to 3.6.11/3.8.10 Multiple Remote Vulnerabilities
-
http://www.debian.org/security/2011/dsa-2220
Debian -- Security Information -- DSA-2220-1 request-tracker3.6, request-tracker3.8
-
http://www.vupen.com/english/advisories/2011/1071
Webmail | OVH- OVH
-
https://bugzilla.redhat.com/show_bug.cgi?id=696795
696795 – (CVE-2011-1685, CVE-2011-1686, CVE-2011-1687, CVE-2011-1688, CVE-2011-1689, CVE-2011-1690) CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-2011-1690 rt3: several secPatch
-
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
[Rt-announce] Security vulnerabilities in RTPatch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/66791
Best Practical Solutions RT external custom field code execution CVE-2011-1685 Vulnerability Report
-
http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html
Not Found — Best Practical SolutionsVendor Advisory
Products affected by CVE-2011-1685
- cpe:2.3:a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.9:rc3:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.8:rc3:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.8:rc2:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.8:rc4:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:3.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:rt:4.0.0:rc7:*:*:*:*:*:*