SB2022071511 - Multiple vulnerabilities in BMC Track-It!

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the authorization of HTTP requests. A remote attacker can bypass implemented security restrictions and execute arbitrary code on the target system.

2) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the GetPopupSubQueryDetails endpoint. A remote user can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-22-968/
• https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It-Version-2
• https://www.zerodayinitiative.com/advisories/ZDI-22-967/