Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Rt | Bestpractical | 3.8.0 (including) | 3.8.0 (including) |
Rt | Bestpractical | 3.8.1 (including) | 3.8.1 (including) |
Rt | Bestpractical | 3.8.2 (including) | 3.8.2 (including) |
Rt | Bestpractical | 3.8.3 (including) | 3.8.3 (including) |
Rt | Bestpractical | 3.8.4 (including) | 3.8.4 (including) |
Rt | Bestpractical | 3.8.5 (including) | 3.8.5 (including) |
Rt | Bestpractical | 3.8.6 (including) | 3.8.6 (including) |
Rt | Bestpractical | 3.8.6-rc1 (including) | 3.8.6-rc1 (including) |
Rt | Bestpractical | 3.8.7 (including) | 3.8.7 (including) |
Rt | Bestpractical | 3.8.7-rc1 (including) | 3.8.7-rc1 (including) |
Rt | Bestpractical | 3.8.8 (including) | 3.8.8 (including) |
Rt | Bestpractical | 3.8.8-rc2 (including) | 3.8.8-rc2 (including) |
Rt | Bestpractical | 3.8.8-rc3 (including) | 3.8.8-rc3 (including) |
Rt | Bestpractical | 3.8.8-rc4 (including) | 3.8.8-rc4 (including) |
Rt | Bestpractical | 3.8.9 (including) | 3.8.9 (including) |
Rt | Bestpractical | 3.8.9-rc1 (including) | 3.8.9-rc1 (including) |
Rt | Bestpractical | 3.8.9-rc2 (including) | 3.8.9-rc2 (including) |
Rt | Bestpractical | 3.8.9-rc3 (including) | 3.8.9-rc3 (including) |
Request-tracker3.8 | Ubuntu | karmic | * |
Request-tracker3.8 | Ubuntu | lucid | * |
Request-tracker3.8 | Ubuntu | maverick | * |
Request-tracker3.8 | Ubuntu | natty | * |
Request-tracker3.8 | Ubuntu | upstream | * |