Debian Request-Tracker4 vulnerabilities

CVE-2011-2082 [MEDIUM] CVE-2011-2082: request-tracker4 - The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12... The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the d

CVE-2011-2083 [MEDIUM] CVE-2011-2083: request-tracker4 - Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions ... Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.0.5-3) bullseye: resolved (fixed in 4.0.5-3) sid: resolved (fixed in 4.0.5-3)

CVE-2011-2085 [MEDIUM] CVE-2011-2085: request-tracker4 - Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Sol... Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users. Scope: local bookworm: resolved (fixed in 4.0.5-3) bullseye: resolved (fixed in 4.0.5-3) sid: resolved (fixed in 4.0.5-3)

CVE-2011-4459 [LOW] CVE-2011-4459: request-tracker4 - Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not prop... Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not properly disable groups, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a group membership. Scope: local bookworm: resolved (fixed in 4.0.5-3) bullseye: resolved (fixed in 4.0.5-3) sid: resolved (fixed in 4.0.