CVE-2011-1685Cross-Site Request Forgery in RT

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
4.6MEDIUMNVD
EPSS
1.1%
top 21.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bestpractical RT
Timeline
PublishedApr 22
Latest updateMay 17

Description

Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages1 packages

NVDbestpractical/rt11 versions+10

Patches

Patch: lists.bestpractical.comPatch: lists.bestpractical.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

1
GHSA
GHSA-j6xx-f4pg-fp88: Best Practical Solutions RT 32022-05-17

💬Community

1
Bugzilla
CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-2011-1690 rt3: several security flaws fixed in 3.6.11, 3.8.102011-04-14
CVE-2011-1685 — Cross-Site Request Forgery in RT | cvebase