Published: 04/06/2012 Updated: 29/09/2012

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The vulnerable-passwords script in Best Practical Solutions RT 3.x prior to 3.8.12 and 4.x prior to 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent malicious users to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bestpractical rt 3.6.0
bestpractical rt 3.5.3
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.4.0
bestpractical rt 3.2.1
bestpractical rt 3.2.0
bestpractical rt 3.4.5
bestpractical rt 3.4.4
bestpractical rt 3.0.11
bestpractical rt 3.1.4
bestpractical rt 3.1.3
bestpractical rt 3.1.6
bestpractical rt 3.1.16
bestpractical rt 3.1.13
bestpractical rt 3.0.7
bestpractical rt 3.0.10
bestpractical rt 3.4.1
bestpractical rt 3.0.7.1
bestpractical rt 3.7.80
bestpractical rt 3.6.6
bestpractical rt 3.6.4
bestpractical rt 3.6.3
bestpractical rt 3.8.7
bestpractical rt 3.8.8
bestpractical rt 3.8.5
bestpractical rt 3.6.9
bestpractical rt 3.8.0
bestpractical rt 3.8.9
bestpractical rt 3.8.11
bestpractical rt 3.6.2
bestpractical rt 3.2.3
bestpractical rt 3.4.2
bestpractical rt 3.1.2
bestpractical rt 3.1.10
bestpractical rt 3.1.15
bestpractical rt 3.0.5
bestpractical rt 3.0.6
bestpractical rt 3.0.1
bestpractical rt 3.0.9
bestpractical rt 3.7.86
bestpractical rt 3.7.5
bestpractical rt 3.6.5
bestpractical rt 3.7.1
bestpractical rt 3.8.2
bestpractical rt 3.8.6
bestpractical rt 3.8.10
bestpractical rt 3.6.1
bestpractical rt 3.5.7
bestpractical rt 3.2.2
bestpractical rt 3.4.3
bestpractical rt 3.1.7
bestpractical rt 3.1.17
bestpractical rt 3.1.12
bestpractical rt 3.0.4
bestpractical rt 3.0.3
bestpractical rt 3.7.85
bestpractical rt 3.6.8
bestpractical rt 3.8.4
bestpractical rt 3.8.3
bestpractical rt 3.6.7
bestpractical rt 3.8.1
bestpractical rt 3.5.5
bestpractical rt 3.5.6
bestpractical rt 3.6.10
bestpractical rt 3.5.2
bestpractical rt 3.5.1
bestpractical rt 3.4.7
bestpractical rt 3.1.5
bestpractical rt 3.1.8
bestpractical rt 3.1.14
bestpractical rt 3.1.11
bestpractical rt 3.0.12
bestpractical rt 3.0.2
bestpractical rt 3.0.8
bestpractical rt 3.0.0
bestpractical rt 4.0.0
bestpractical rt 3.8.12
bestpractical rt 4.0.2
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.5
bestpractical rt 4.0.1

Several vulnerabilities were discovered in Request Tracker, an issue tracking system: CVE-2011-2082 The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users CVE-2011-2083 Several cross-site scripting issues have been discovered CVE-2011-2084 Password hashes could be ...

CWE-255 http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://www.securityfocus.com/bid/53660 http://secunia.com/advisories/49259 https://nvd.nist.gov https://www.debian.org/security/./dsa-2480

Get Started

CVE-2011-2082

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect