CVE-2011-5072

Multiple SQL injection vulnerabilities in Support Incident Tracker aka SiT! before 3.65 allow remote attackers to execute arbitrary SQL commands via the 1 start parameter to portal/kb.php; 2 contractid parameter to contractaddservice.php; 3 id parameter to editescalationpath.php; 4 unlock, 5 lock...

Information disclosure

moveuploadedfile.php in Support Incident Tracker aka SiT! 3.65 allows remote authenticated users to obtain sensitive information via the file name, which reveals the installation path in an error message...

Unrestricted file upload

Unrestricted file upload vulnerability in incidentattachments.php in Support Incident Tracker aka SiT! 3.65 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in unspecified directory, a...

Design/Logic Flaw

Eval injection vulnerability in config.php in Support Incident Tracker aka SiT! 3.65 allows remote authenticated administrators to execute arbitrary PHP code via the applicationname parameter in a save action...

CVE-2011-3831

CVE-2011-3831 affects Support Incident Tracker (SiT!) 3.65. The vulnerability is an SQL injection in incident_attachments.php that allows remote attackers to execute arbitrary SQL commands via an uploaded file with a crafted file name. This is documented across multiple sources (NVD/NVD listing, ...

CVE-2011-5069

Unrestricted file upload vulnerability in incidentattachments.php in Support Incident Tracker aka SiT! 3.65 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in unspecified directory, a...

CVE-2011-5068

Multiple cross-site request forgery CSRF vulnerabilities in Support Incident Tracker aka SiT! 3.65 allow remote attackers to hijack the authentication of user for requests that delete a user via userdelete.php and other unspecified programs...