SiT! Bugs - SiT!
View Issue Details
0001699SiT!securitypublic2011-08-24 16:272011-09-04 20:45
ivan 
ivan 
urgentblockhave not tried
closedfixed 
3.64 LTS 
3.65 LTS3.65 LTS 
0001699: Multiple security vulnerabilities HTB23043
http://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html [^]

Vulnerability ID: HTB23043
Product: SiT! Support Incident Tracker
Vendor: The Support Incident Tracker Project ( http://sitracker.org/ [^] )
Vulnerable Version: 3.64 and probably prior
Tested on: 3.64
Vendor Notification: 24 August 2011
Public Disclosure: 14 September 2011
Vulnerability Type: SQL Injection, XSS, CSRF
Risk level: High
    
Credit: High-Tech Bridge SA Security Research Lab
Vulnerability Details:
To be disclosed on 14 September 2011
(Please see General Information & Disclosure Policy)

Full Details received privately via email.
No tags attached.
has duplicate 0001700closed ivan SiT! Security Vulnerabilities Notification 
Issue History
2011-08-24 16:27ivanNew Issue
2011-08-24 16:27ivanStatusnew => assigned
2011-08-24 16:27ivanAssigned To => ivan
2011-08-24 17:50ivanNote Added: 0004255
2011-08-24 20:32ivanRelationship addedhas duplicate 0001700
2011-09-01 17:29ivanNote Added: 0004279
2011-09-01 17:29ivanStatusassigned => resolved
2011-09-01 17:29ivanFixed in Version => Current SVN
2011-09-01 17:29ivanResolutionopen => fixed
2011-09-04 17:37ivanFixed in VersionCurrent SVN => 3.65 LTS
2011-09-04 17:37ivanView Statusprivate => public
2011-09-04 20:45ivanNote Added: 0004284
2011-09-04 20:45ivanStatusresolved => closed

Notes
(0004255)
ivan   
2011-08-24 17:50   
Need to check param 'table1' in QBE report
and "search_string" GET parameter to incident_add.php
(0004279)
ivan   
2011-09-01 17:29   
Fixed in SVN for v3.65 and ported to Git for v3.90
(0004284)
ivan   
2011-09-04 20:45   
Fix released in v3.65