This new exploit bypasses the mechanism fixed in 126.96.36.1995 (refer CVE-2014-4872). Using the new exploit an attacker can yet execute arbitrary code via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
In Track-It! version 188.8.131.525, while the messages which are sent between the client and the server are encrypted, this communication used a fix key authentication. The master key used to authenticate was a public key. This means that any user could negotiate an encryption key with the server and then execute any action bypassing authentication.
This is a new vulnerability which is unique to Track-It! Version 11.4.0435. We have reviewed and prioritized the issue as High (1). We highly recommend that you apply the cumulative patch stated in the workaround section to remediate this issue.
This is a known issue which is also published thru CVE-2015-8274. This security Vulnerability was found & reported by “Pedro Riberio working with Beyond Security's SecuriTeam Secure Disclosure program".
Should you still wish to contact support regarding this issue, please reference TL1069846
This vulnerability has been addressed and fixed in Track-It! 11.4 SP1 Version 184.108.40.2068 / 11.4.01 which is available in the Product Downloads section at http://www.bmc.com/support/support-central.html.