Track-It! 11.4 Hotfix 3 (18.104.22.1680) addresses two high severity Security Vulnerabilities.
Track-It! 11.4 Security Vulnerability: unauthorized access thru Track-It! Service components
Exploit published in CVE-2014-4872 was addressed in 11.4 Hotfix 02 (22.214.171.1245). The new exploit that is specific for 11.4 Hotfix 02 was recently reported. This new exploit can traverse to parent paths of Track-It! server, upload a file and execute code under the IIS user.
The exploit leverages ConfigurationService and FileStorageService services, which allows uploading a file anywhere in the Track-It! server’s file system by means of parent path traversal and execute arbitrary code via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService
More details on this vulnerability can be found in Track-It! knowledge base here: