Description
Multiple cross-site request forgery (CSRF) vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to hijack the authentication of administrators for requests that change administrator email, add a new administrator, or insert arbitrary script via (1) user_profile_edit.php or (2) user_add.php.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/18444
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
http://sitracker.org/wiki/ReleaseNotes365
Exploit mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/519636
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/46019
Exploit x_refsource_misc
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html
Scores
EPSS
0.0018
EPSS Percentile
39.5%
Details
CWE
CWE-352
Status
published
Products (22)
sitracker/support_incident_tracker
3.6
sitracker/support_incident_tracker
3.21
sitracker/support_incident_tracker
3.22
sitracker/support_incident_tracker
3.22pl1
sitracker/support_incident_tracker
3.23
sitracker/support_incident_tracker
3.24 (2 CPE variants)
sitracker/support_incident_tracker
3.30 (2 CPE variants)
sitracker/support_incident_tracker
3.31
sitracker/support_incident_tracker
3.32
sitracker/support_incident_tracker
3.33
... and 12 more
Published
Jan 29, 2012
Tracked Since
Feb 18, 2026