Successful exploitation will allow remote attackers to perform SQL injections, arbitrary file upload/download and code execution.
Hotfixes are available for CVE-2014-4873 and CVE-2014-4874. For CVE-2014-4872 there is currently no hotfix available. As a workaround block all traffic from untrusted networks to TCP/UDP ports 9010 to 9020.
BMC Track-It! exposes several dangerous remote .NET services on port 9010 without authentication. .NET remoting allows a user to invoke methods remotely and retrieve their result (CVE-2014-4872). An authenticated user can engage in blind SQL Injection by entering comparison operators in the POST string for the /TrackItWeb/Grid/GetData page (CVE-2014-4873). A remote authenticated user can download arbitrary files on the /TrackItWeb/Attachment page (CVE-2014-4874).
BMC Track-It! version 220.127.116.115 and below.
Check the version of BMC Track-It!.