Vulnerabilities > Sitracker > Support Incident Tracker > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-02 | CVE-2019-20223 | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, the id parameter is affected by XSS on all endpoints that use this parameter, a related issue to CVE-2012-2235. | 4.3 |
| 2020-01-02 | CVE-2019-20222 | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, the Short Application Name and Application Name inputs in the config.php page are affected by XSS. | 4.3 |
| 2020-01-02 | CVE-2019-20221 | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, Load Plugins input in the config.php page is affected by XSS. | 4.3 |
| 2020-01-02 | CVE-2019-20220 | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, the search_id parameter in the search_incidents_advanced.php page is affected by XSS. | 4.3 |
| 2012-05-27 | CVE-2012-2235 | Cross-Site Scripting vulnerability in Sitracker Support Incident Tracker Cross-site scripting (XSS) vulnerability in Support Incident Tracker (SiT!) 3.65 and earlier allows remote attackers to inject arbitrary web script or HTML via the id parameter to index.php, which is not properly handled in an error message. | 4.3 |
| 2012-01-29 | CVE-2011-5075 | Unspecified vulnerability in Sitracker Support Incident Tracker translate.php in Support Incident Tracker (aka SiT!) 3.45 through 3.65 allows remote attackers to obtain sensitive information via a direct request using the save action, which reveals the installation path. | 5.0 |
| 2012-01-29 | CVE-2011-5074 | Cross-Site Request Forgery (CSRF) vulnerability in Sitracker Support Incident Tracker Multiple cross-site request forgery (CSRF) vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to hijack the authentication of administrators for requests that change administrator email, add a new administrator, or insert arbitrary script via (1) user_profile_edit.php or (2) user_add.php. | 6.8 |
| 2012-01-29 | CVE-2011-5073 | Cross-Site Scripting vulnerability in Sitracker Support Incident Tracker Multiple cross-site scripting (XSS) vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to inject arbitrary web script or HTML via the (1) mode parameter to contact_support.php; (2) contractid parameter to contract_add_service.php; (3) user parameter to edit_backup_users.php; (4) id parameter to edit_escalation_path.php; the Referer to (5) forgotpwd.php, (6) an approvalpage action to billable_incidents.php, or (7) transactions.php; (8) action parameter to inbox.php; (9) search_string parameter in a findcontact action to incident_add.php; table1 parameter to (10) report_customers.php, (11) report_incidents_by_engineer.php, (12) report_incidents_by_site.php, or (13) report_marketing.php; or the (14) startdate or (15) enddate parameter to report_incidents_by_vendor.php. | 4.3 |
| 2012-01-29 | CVE-2011-5070 | Cross-Site Scripting vulnerability in Sitracker Support Incident Tracker 3.65 Multiple cross-site scripting (XSS) vulnerabilities in Support Incident Tracker (aka SiT!) 3.65 allow remote attackers to inject arbitrary web script or HTML via (1) the file name to incident_attachments.php; (2) unspecified vectors in link_add.php, possibly involving origref, linkref, linktype parameters, which are not properly handled in the clean_int function in lib/base.inc.php, or the redirect parameter, which is not properly handled in the html_redirect function in lib/html.inc.php; and (3) unspecified vectors in translate.php. | 4.3 |
| 2012-01-29 | CVE-2011-5069 | Input Validation vulnerability in Sitracker Support Incident Tracker 3.65 Unrestricted file upload vulnerability in incident_attachments.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in unspecified directory, a different program than CVE-2011-3833. network sitracker | 6.0 |