On Mon, Aug 31, 2015 at 05:24:51PM +0200, Loïc Cadoret wrote: > We are running RT 3.8.11 (update to RT 4.2.x is currently not an option)
Your RT instance contains arbitrary remote execution of code, session fixation and hijacking, XSS injection, SQL injection, and weak password hashing that allows trivial reconstruction of passwords from said SQL injection. Whatever your reasons are for 4.2 being "not an option," you should at _very_ least upgrade to 3.8.17, which resolves the worst of those. It will still, of course, be unsupported, and vulnerable to other vulnerabilities (including CVE-2014-9472, a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and CVE-2015-1464, which allow for information disclosure and session hijacking via RT's RSS feeds) but will be slightly less exploitable. Please upgrade. - Alex