Vulnerability Name:

CVE-2011-1007 (CCN-65771)

Assigned:2011-01-24
Published:2011-01-24
Updated:2021-02-25
Summary:Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-255
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: Best Practical Web site
Best Practical

Source: CONFIRM
Type: Patch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575

Source: MITRE
Type: CNA
CVE-2011-1007

Source: CONFIRM
Type: UNKNOWN
http://issues.bestpractical.com/Ticket/Display.html?id=15804

Source: CCN
Type: Rt Announce Mailing List
RT 3.8.9 Released

Source: MLIST
Type: Patch
[rt-announce] 20110216 RT 3.8.9 Released

Source: MLIST
Type: Patch
[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: MLIST
Type: Patch
[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: MLIST
Type: Patch
[oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: MLIST
Type: UNKNOWN
[oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: MLIST
Type: UNKNOWN
[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: MLIST
Type: UNKNOWN
[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: MLIST
Type: UNKNOWN
[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition

Source: OSVDB
Type: UNKNOWN
71012

Source: CCN
Type: SA43438
RT Information Disclosure Vulnerability

Source: SECUNIA
Type: Vendor Advisory
43438

Source: CCN
Type: OSVDB ID: 71012
RT Form Data Resubmission Login Credentials Disclosure

Source: VUPEN
Type: Vendor Advisory
ADV-2011-0475

Source: XF
Type: UNKNOWN
rt-login-information-disclosure(65771)

Source: XF
Type: UNKNOWN
rt-login-information-disclosure(65771)

Source: CONFIRM
Type: Patch
https://github.com/bestpractical/rt/commit/057552287159e801535e59b8fbd5bd98d1322069

Source: CONFIRM
Type: Patch
https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4

Source: MLIST
Type: UNKNOWN
[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar

Vulnerable Configuration:Configuration 1:
  • cpe:/a:bestpractical:rt:3.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.8:rc2:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.7:rc1:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.15:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.14:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.9:rc1:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.9:rc2:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.8:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.8:rc4:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.8:rc3:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.13:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:*:rc3:*:*:*:*:*:* (Version <= 3.8.9)

    • Configuration CCN 1:
  • cpe:/a:bestpractical:rt:3.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.8:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.7:*:*:*:*:*:*:*
  • OR cpe:/a:bestpractical:rt:3.8.8:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.precise:def:20111007000
    V
    		CVE-2011-1007 on Ubuntu 12.04 LTS (precise) - low.
    2011-02-28
    BACK
    bestpractical rt 3.6.5
    bestpractical rt 3.6.4
    bestpractical rt 3.6.7
    bestpractical rt 3.8.5
    bestpractical rt 3.0.12
    bestpractical rt 3.0.2
    bestpractical rt 3.4.2
    bestpractical rt 3.6.0
    bestpractical rt 3.6.1
    bestpractical rt 3.8.4
    bestpractical rt 3.6.2
    bestpractical rt 3.8.0
    bestpractical rt 3.0.5
    bestpractical rt 3.0.6
    bestpractical rt 3.4.5
    bestpractical rt 3.0.1
    bestpractical rt 3.0.10
    bestpractical rt 3.8.8 rc2
    bestpractical rt 3.8.7 rc1
    bestpractical rt 3.0.7.1
    bestpractical rt 3.2.0
    bestpractical rt 2.0.9
    bestpractical rt 3.8.3
    bestpractical rt 3.4.6
    bestpractical rt 3.8.1
    bestpractical rt 3.8.2
    bestpractical rt 3.0.7
    bestpractical rt 3.0.11
    bestpractical rt 3.4.0
    bestpractical rt 3.4.1
    bestpractical rt 3.8.6 rc1
    bestpractical rt 3.8.6
    bestpractical rt 3.0.8
    bestpractical rt 3.0.0
    bestpractical rt 2.0.8
    bestpractical rt 2.0.7
    bestpractical rt 2.0.2
    bestpractical rt 2.0.1
    bestpractical rt 1.0.2
    bestpractical rt 1.0.1
    bestpractical rt 3.4.3
    bestpractical rt 3.2.2
    bestpractical rt 3.2.1
    bestpractical rt 2.0.15
    bestpractical rt 2.0.14
    bestpractical rt 2.0.6
    bestpractical rt 2.0.5.3
    bestpractical rt 2.0.0
    bestpractical rt 1.0.7
    bestpractical rt 1.0.0
    bestpractical rt 3.8.9 rc1
    bestpractical rt 3.8.9 rc2
    bestpractical rt 2.0.8.2
    bestpractical rt 2.0.4
    bestpractical rt 2.0.3
    bestpractical rt 1.0.4
    bestpractical rt 1.0.3
    bestpractical rt 3.6.8
    bestpractical rt 3.6.6
    bestpractical rt 3.6.3
    bestpractical rt 3.6.9
    bestpractical rt 3.0.4
    bestpractical rt 3.0.3
    bestpractical rt 3.4.4
    bestpractical rt 3.8.8 rc4
    bestpractical rt 3.8.8 rc3
    bestpractical rt 3.2.3
    bestpractical rt 3.0.9
    bestpractical rt 2.0.13
    bestpractical rt 2.0.12
    bestpractical rt 2.0.11
    bestpractical rt 2.0.5.1
    bestpractical rt 2.0.5
    bestpractical rt 1.0.6
    bestpractical rt 1.0.5
    bestpractical rt * rc3
    bestpractical rt 3.6.2
    bestpractical rt 3.6.3
    bestpractical rt 3.6.4
    bestpractical rt 3.6.5
    bestpractical rt 3.6.6
    bestpractical rt 3.6.7
    bestpractical rt 3.6.8
    bestpractical rt 3.8.4
    bestpractical rt 3.8.3
    bestpractical rt 3.8.0
    bestpractical rt 3.8.1
    bestpractical rt 3.8.2
    bestpractical rt 3.8.5
    bestpractical rt 3.6.9
    bestpractical rt 3.8.6
    bestpractical rt 3.8.7
    bestpractical rt 3.8.8