Thomas Goetz

**Name of the Vulnerable Software and Affected Versions** Best Practical Solutions RT versions 3.0.0 through 3.6.9 Best Practical Solutions RT versions 3.8.x through 3.8.5 rt3.4-clients (affected versions not specified) rt3.6-apache2 (affected versions not specified) rt3.6-db-mysql (affected versions not specified) rt3.4-apache (affected versions not specified) rt3.6-db-postgresql (affected versions not specified) rt3.6-apache (affected versions not specified) rt3.6-db-sqlite (affected versions not specified) rt3.6-clients (affected versions not specified) rt3.4-apache2 (affected versions not specified) **Description** The issue involves multiple vulnerabilities in the mentioned software packages, which can lead to the disruption of confidentiality and integrity of protected information. These vulnerabilities can be exploited remotely. A session fixation vulnerability in the `html/Elements/SetupSessionCookie` component of Best Practical Solutions RT allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain. **Recommendations** For Best Practical Solutions RT versions 3.0.0 through 3.6.9, update to a version outside of this range to mitigate the risk. For Best Practical Solutions RT versions 3.8.x through 3.8.5, update to a version outside of this range to mitigate the risk. For rt3.4-clients, rt3.6-apache2, rt3.6-db-mysql, rt3.4-apache, rt3.6-db-postgresql, rt3.6-apache, rt3.6-db-sqlite, rt3.6-clients, and rt3.4-apache2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.