[rt-users] scrip to delete a Cc adress in a ticket

Alex Vandiver alex at chmrr.net
Tue Sep 1 03:29:42 EDT 2015


On Mon, Aug 31, 2015 at 05:24:51PM +0200, Loïc Cadoret wrote:
> We are running RT 3.8.11 (update to RT 4.2.x is currently not an option)

Your RT instance contains arbitrary remote execution of code, session
fixation and hijacking, XSS injection, SQL injection, and weak
password hashing that allows trivial reconstruction of passwords from
said SQL injection.

Whatever your reasons are for 4.2 being "not an option," you should at
_very_ least upgrade to 3.8.17, which resolves the worst of those.  It
will still, of course, be unsupported, and vulnerable to other
vulnerabilities (including CVE-2014-9472, a denial-of-service via RT's
email gateway, as well as CVE-2015-1165 and CVE-2015-1464, which allow
for information disclosure and session hijacking via RT's RSS feeds)
but will be slightly less exploitable.

Please upgrade.
 - Alex



More information about the rt-users mailing list