VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 22, 2011· Updated Apr 29, 2026

CVE-2011-1686

CVE-2011-1686

Description

Multiple SQL injection vulnerabilities in Best Practical RT allow authenticated users to read unauthorized ticket data and potentially arbitrary database contents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple SQL injection vulnerabilities in Best Practical RT allow authenticated users to read unauthorized ticket data and potentially arbitrary database contents.

Vulnerability

Multiple SQL injection vulnerabilities exist in Best Practical Solutions RT versions 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 [1][2]. The exact vectors are unspecified, but the flaws are present in the core codebase and do not require any special configuration to be reachable [1]. Deployments since 3.6.0 are additionally vulnerable to a more complex attack [1].

Exploitation

An authenticated user (either privileged or unprivileged) can exploit these vulnerabilities by sending crafted input to unspecified endpoints [1]. No special network position is required beyond normal authenticated access. The attacker does not need to be an administrator; any valid RT user account suffices [1]. For the more complex attack on versions 3.6.0 and later, a privileged user is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, primarily enabling unauthorized reading of ticket data [1]. The vendor states that these attacks are not believed to be capable of directly inserting, altering, or removing data from the database [1]. However, on deployments since 3.6.0, a privileged user can retrieve arbitrary data from the database, potentially including sensitive information [1].

Mitigation

The vulnerabilities are fixed in RT versions 3.6.11, 3.8.10, and 4.0.0rc8 [1][4]. Patches are also available for 3.6.10 and all versions of RT 3.8 [1]. Users should upgrade to the latest patched release or apply the provided patches. No workaround is documented; the fix requires updating the software.

References
  1. [Rt-announce] Security vulnerabilities in RT
  2. Security vulnerabilities in RT
  3. [Rt-announce] RT 3.8.10 Released - Security Release

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

80
  • Bestpractical/Rt80 versions
    cpe:2.3:a:bestpractical:rt:2.0.0:*:*:*:*:*:*:*+ 79 more
    • cpe:2.3:a:bestpractical:rt:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.10:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.6:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:rc2:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:rc3:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:rc4:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:rc2:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:rc3:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc6:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc7:*:*:*:*:*:*
    • (no CPE)range: 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.