Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
71 vulnerabilities by bestpractical
CVE-2026-41076 (GCVE-0-2026-41076)
Vulnerability from cvelistv5 – Published: 2026-05-22 21:36 – Updated: 2026-05-28 03:55
VLAI
Title
RT: LDAP authentication bypass via empty password
Summary
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bestpractical/rt/security/advi… | x_refsource_CONFIRM |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | rt |
Affected:
< 5.0.10
Affected: >= 6.0.0, < 6.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:46.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rt",
"vendor": "bestpractical",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server\u0027s authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T21:36:21.585Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
}
],
"source": {
"advisory": "GHSA-3w28-fmcr-mjjx",
"discovery": "UNKNOWN"
},
"title": "RT: LDAP authentication bypass via empty password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41076",
"datePublished": "2026-05-22T21:36:21.585Z",
"dateReserved": "2026-04-16T16:43:03.175Z",
"dateUpdated": "2026-05-28T03:55:46.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41075 (GCVE-0-2026-41075)
Vulnerability from cvelistv5 – Published: 2026-05-22 21:17 – Updated: 2026-05-28 03:55
VLAI
Title
RT: SQL injection via entry_aggregator parameter in JSON search
Summary
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bestpractical/rt/security/advi… | x_refsource_CONFIRM |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | rt |
Affected:
>= 5.0.0, < 5.0.10
Affected: >= 6.0.0, < 6.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:45.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rt",
"vendor": "bestpractical",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T21:17:36.063Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
}
],
"source": {
"advisory": "GHSA-7vf8-xv7w-97c6",
"discovery": "UNKNOWN"
},
"title": "RT: SQL injection via entry_aggregator parameter in JSON search"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41075",
"datePublished": "2026-05-22T21:17:36.063Z",
"dateReserved": "2026-04-16T16:43:03.175Z",
"dateUpdated": "2026-05-28T03:55:45.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41074 (GCVE-0-2026-41074)
Vulnerability from cvelistv5 – Published: 2026-05-22 21:12 – Updated: 2026-05-26 18:44
VLAI
Title
RT has broken CSRF protection for authenticated users
Summary
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bestpractical/rt/security/advi… | x_refsource_CONFIRM |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | rt |
Affected:
>= 6.0.0, < 6.0.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:44:34.070817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:44:57.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rt",
"vendor": "bestpractical",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user\u0027s behalf. This issue has been fixed in version 6.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T21:12:41.473Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
}
],
"source": {
"advisory": "GHSA-265j-qx4w-256j",
"discovery": "UNKNOWN"
},
"title": "RT has broken CSRF protection for authenticated users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41074",
"datePublished": "2026-05-22T21:12:41.473Z",
"dateReserved": "2026-04-16T16:43:03.175Z",
"dateUpdated": "2026-05-26T18:44:57.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41073 (GCVE-0-2026-41073)
Vulnerability from cvelistv5 – Published: 2026-05-22 21:10 – Updated: 2026-05-23 02:57
VLAI
Title
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
Summary
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bestpractical/rt/security/advi… | x_refsource_CONFIRM |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | rt |
Affected:
< 5.0.10
Affected: >= 6.0.0, < 6.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T02:57:10.802457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T02:57:38.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rt",
"vendor": "bestpractical",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T21:10:22.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
}
],
"source": {
"advisory": "GHSA-6x92-7v65-7m3r",
"discovery": "UNKNOWN"
},
"title": "RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41073",
"datePublished": "2026-05-22T21:10:22.249Z",
"dateReserved": "2026-04-16T16:43:03.174Z",
"dateUpdated": "2026-05-23T02:57:38.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6841 (GCVE-0-2026-6841)
Vulnerability from cvelistv5 – Published: 2026-05-21 11:49 – Updated: 2026-05-21 12:45 X_Open Source
VLAI
Title
Reflected XSS in Request Tracker
Summary
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/05/CVE-2026-6841 | third-party-advisory |
| https://requesttracker.com/request-tracker/ | product |
| https://docs.bestpractical.com/release-notes/rt/5.0.10 | release-notes |
| https://docs.bestpractical.com/release-notes/rt/6.0.3 | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Best Practical | Request Tracker |
Affected:
5.0.4 , < 5.0.10
(semver)
Affected: 6.0.0 , < 6.0.3 (semver) |
Date Public
2026-05-21 10:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T12:42:30.866693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:45:14.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Request Tracker",
"repo": "https://github.com/bestpractical/rt",
"vendor": "Best Practical",
"versions": [
{
"lessThan": "5.0.10",
"status": "affected",
"version": "5.0.4",
"versionType": "semver"
},
{
"lessThan": "6.0.3",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksander Iwicki (CERT Polska)"
}
],
"datePublic": "2026-05-21T10:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u0026nbsp;6.0.2.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\n\nThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u00a06.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T11:49:07.533Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/05/CVE-2026-6841"
},
{
"tags": [
"product"
],
"url": "https://requesttracker.com/request-tracker/"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.bestpractical.com/release-notes/rt/6.0.3"
}
],
"source": {
"discovery": "INTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Reflected XSS in Request Tracker",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-6841",
"datePublished": "2026-05-21T11:49:07.533Z",
"dateReserved": "2026-04-22T07:09:40.481Z",
"dateUpdated": "2026-05-21T12:45:14.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61873 (GCVE-0-2025-61873)
Vulnerability from cvelistv5 – Published: 2026-01-16 00:00 – Updated: 2026-01-16 18:31
VLAI
Summary
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | Request Tracker |
Affected:
0 , < 4.4.9
(custom)
Affected: 5.0 , < 5.0.9 (custom) Affected: 6.0 , < 6.0.2 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T18:27:46.566310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T18:31:10.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Request Tracker",
"vendor": "bestpractical",
"versions": [
{
"lessThan": "4.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.9",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "6.0.2",
"status": "affected",
"version": "6.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.9",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T18:16:17.553Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61873",
"datePublished": "2026-01-16T00:00:00.000Z",
"dateReserved": "2025-10-03T00:00:00.000Z",
"dateUpdated": "2026-01-16T18:31:10.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30087 (GCVE-0-2025-30087)
Vulnerability from cvelistv5 – Published: 2025-05-28 00:00 – Updated: 2025-11-03 19:46
VLAI
Summary
Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | RT |
Affected:
4.4.0 , < 4.4.8
(semver)
Affected: 5.0.0 , < 5.0.8 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T18:00:11.113721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T18:00:16.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:46:45.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RT",
"vendor": "bestpractical",
"versions": [
{
"lessThan": "4.4.8",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.8",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:53:01.345Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.8"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-30087",
"datePublished": "2025-05-28T00:00:00.000Z",
"dateReserved": "2025-03-16T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:46:45.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31501 (GCVE-0-2025-31501)
Vulnerability from cvelistv5 – Published: 2025-05-28 00:00 – Updated: 2025-05-28 17:59
VLAI
Summary
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | RT |
Affected:
5.0.0 , < 5.0.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T17:59:24.546058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:59:29.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RT",
"vendor": "bestpractical",
"versions": [
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:48:25.633Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-31501",
"datePublished": "2025-05-28T00:00:00.000Z",
"dateReserved": "2025-03-28T00:00:00.000Z",
"dateUpdated": "2025-05-28T17:59:29.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31500 (GCVE-0-2025-31500)
Vulnerability from cvelistv5 – Published: 2025-05-28 00:00 – Updated: 2025-05-28 17:59
VLAI
Summary
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | RT |
Affected:
5.0.0 , < 5.0.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T17:59:42.444191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:59:47.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RT",
"vendor": "bestpractical",
"versions": [
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:45:41.901Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-31500",
"datePublished": "2025-05-28T00:00:00.000Z",
"dateReserved": "2025-03-28T00:00:00.000Z",
"dateUpdated": "2025-05-28T17:59:47.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45024 (GCVE-0-2023-45024)
Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2024-09-06 14:00
VLAI
Summary
Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T14:00:24.225531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T14:00:30.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T04:19:31.617Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-45024",
"datePublished": "2023-11-03T00:00:00.000Z",
"dateReserved": "2023-10-03T00:00:00.000Z",
"dateUpdated": "2024-09-06T14:00:30.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41259 (GCVE-0-2023-41259)
Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2025-11-04 19:21
VLAI
Summary
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| best_practical_solutions | request_tracker |
Affected:
0 , < 4.4.7
(custom)
Affected: 5x , < 5.0.5 (custom) cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:21:05.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00046.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "request_tracker",
"vendor": "best_practical_solutions",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.5",
"status": "affected",
"version": "5x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:52:22.819347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:54:06.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T04:14:28.149Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-41259",
"datePublished": "2023-11-03T00:00:00.000Z",
"dateReserved": "2023-08-25T00:00:00.000Z",
"dateUpdated": "2025-11-04T19:21:05.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-41260 (GCVE-0-2023-41260)
Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2025-11-04 19:21
VLAI
Summary
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| best_practical_solutions | request_tracker |
Affected:
0 , < 4.4.7
(custom)
Affected: 5x , < 5.0.5 (custom) cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:21:06.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00046.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "request_tracker",
"vendor": "best_practical_solutions",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.5",
"status": "affected",
"version": "5x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:47:43.604407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:51:22.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T04:17:29.880Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
},
{
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-41260",
"datePublished": "2023-11-03T00:00:00.000Z",
"dateReserved": "2023-08-25T00:00:00.000Z",
"dateUpdated": "2025-11-04T19:21:06.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25803 (GCVE-0-2022-25803)
Vulnerability from cvelistv5 – Published: 2022-07-14 11:51 – Updated: 2024-08-03 04:49
VLAI
Summary
Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://docs.bestpractical.com/release-notes/rt/i… | x_refsource_MISC |
| https://docs.bestpractical.com/release-notes/rt/5.0.3 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T11:51:19.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-25803",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bestpractical.com/release-notes/rt/index.html",
"refsource": "MISC",
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"name": "https://docs.bestpractical.com/release-notes/rt/5.0.3",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-25803",
"datePublished": "2022-07-14T11:51:19.000Z",
"dateReserved": "2022-02-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:49:43.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25802 (GCVE-0-2022-25802)
Vulnerability from cvelistv5 – Published: 2022-07-14 11:49 – Updated: 2024-08-03 04:49
VLAI
Summary
Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.bestpractical.com/release-notes/rt/i… | x_refsource_MISC |
| https://docs.bestpractical.com/release-notes/rt/4.4.6 | x_refsource_CONFIRM |
| https://docs.bestpractical.com/release-notes/rt/5.0.3 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T11:49:40.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-25802",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bestpractical.com/release-notes/rt/index.html",
"refsource": "MISC",
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"name": "https://docs.bestpractical.com/release-notes/rt/4.4.6",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
},
{
"name": "https://docs.bestpractical.com/release-notes/rt/5.0.3",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-25802",
"datePublished": "2022-07-14T11:49:40.000Z",
"dateReserved": "2022-02-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:49:43.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25801 (GCVE-0-2022-25801)
Vulnerability from cvelistv5 – Published: 2022-07-14 11:44 – Updated: 2024-08-03 04:49
VLAI
Summary
Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.bestpractical.com/release-notes/rtir… | x_refsource_MISC |
| https://docs.bestpractical.com/release-notes/rtir/5.0.3 | x_refsource_CONFIRM |
| https://docs.bestpractical.com/release-notes/rtir/4.0.3 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T11:44:26.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-25801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bestpractical.com/release-notes/rtir/index.html",
"refsource": "MISC",
"url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
},
{
"name": "https://docs.bestpractical.com/release-notes/rtir/5.0.3",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
},
{
"name": "https://docs.bestpractical.com/release-notes/rtir/4.0.3",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-25801",
"datePublished": "2022-07-14T11:44:26.000Z",
"dateReserved": "2022-02-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:49:43.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25800 (GCVE-0-2022-25800)
Vulnerability from cvelistv5 – Published: 2022-07-14 11:42 – Updated: 2024-08-03 04:49
VLAI
Summary
Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.bestpractical.com/release-notes/rtir… | x_refsource_MISC |
| https://docs.bestpractical.com/release-notes/rtir/5.0.3 | x_refsource_CONFIRM |
| https://docs.bestpractical.com/release-notes/rtir/4.0.3 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T11:42:28.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-25800",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bestpractical.com/release-notes/rtir/index.html",
"refsource": "MISC",
"url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
},
{
"name": "https://docs.bestpractical.com/release-notes/rtir/5.0.3",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
},
{
"name": "https://docs.bestpractical.com/release-notes/rtir/4.0.3",
"refsource": "CONFIRM",
"url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-25800",
"datePublished": "2022-07-14T11:42:28.000Z",
"dateReserved": "2022-02-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:49:43.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38562 (GCVE-0-2021-38562)
Vulnerability from cvelistv5 – Published: 2021-10-18 08:52 – Updated: 2024-08-04 01:44
VLAI
Summary
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://docs.bestpractical.com/release-notes/rt/i… | x_refsource_MISC |
| https://github.com/bestpractical/rt/commit/70749b… | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.debian.org/debian-lts-announce/2022… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:44:23.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c"
},
{
"name": "FEDORA-2021-825dd1879f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JK57CEEXLQF7MGBCUX76DZHXML7LUSQ/"
},
{
"name": "[debian-lts-announce] 20220623 [SECURITY] [DLA 3057-1] request-tracker4 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T09:06:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c"
},
{
"name": "FEDORA-2021-825dd1879f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JK57CEEXLQF7MGBCUX76DZHXML7LUSQ/"
},
{
"name": "[debian-lts-announce] 20220623 [SECURITY] [DLA 3057-1] request-tracker4 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00019.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38562",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bestpractical.com/release-notes/rt/index.html",
"refsource": "MISC",
"url": "https://docs.bestpractical.com/release-notes/rt/index.html"
},
{
"name": "https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c",
"refsource": "CONFIRM",
"url": "https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c"
},
{
"name": "FEDORA-2021-825dd1879f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JK57CEEXLQF7MGBCUX76DZHXML7LUSQ/"
},
{
"name": "[debian-lts-announce] 20220623 [SECURITY] [DLA 3057-1] request-tracker4 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00019.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38562",
"datePublished": "2021-10-18T08:52:58.000Z",
"dateReserved": "2021-08-11T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:44:23.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18898 (GCVE-0-2018-18898)
Vulnerability from cvelistv5 – Published: 2019-03-17 21:16 – Updated: 2024-08-05 11:23
VLAI
Summary
The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://bestpractical.com/download-page | x_refsource_CONFIRM |
| https://lists.debian.org/debian-lts-announce/2020… | mailing-listx_refsource_MLIST |
| https://usn.ubuntu.com/4517-1/ | vendor-advisoryx_refsource_UBUNTU |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2019-73cbc02e14",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CPJVDT77ZPRU5Z2BEMZM7EBY6WZHUATZ/"
},
{
"name": "FEDORA-2019-ef5551fcff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR46PPHBEM76DNN4DEQMAYIKLCO3TQU2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bestpractical.com/download-page"
},
{
"name": "[debian-lts-announce] 20200212 [SECURITY] [DLA 2101-1] libemail-address-list-perl security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00009.html"
},
{
"name": "USN-4517-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4517-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-22T14:06:11.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "FEDORA-2019-73cbc02e14",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CPJVDT77ZPRU5Z2BEMZM7EBY6WZHUATZ/"
},
{
"name": "FEDORA-2019-ef5551fcff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR46PPHBEM76DNN4DEQMAYIKLCO3TQU2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bestpractical.com/download-page"
},
{
"name": "[debian-lts-announce] 20200212 [SECURITY] [DLA 2101-1] libemail-address-list-perl security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00009.html"
},
{
"name": "USN-4517-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4517-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2019-73cbc02e14",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPJVDT77ZPRU5Z2BEMZM7EBY6WZHUATZ/"
},
{
"name": "FEDORA-2019-ef5551fcff",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YR46PPHBEM76DNN4DEQMAYIKLCO3TQU2/"
},
{
"name": "https://bestpractical.com/download-page",
"refsource": "CONFIRM",
"url": "https://bestpractical.com/download-page"
},
{
"name": "[debian-lts-announce] 20200212 [SECURITY] [DLA 2101-1] libemail-address-list-perl security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00009.html"
},
{
"name": "USN-4517-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4517-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18898",
"datePublished": "2019-03-17T21:16:19.000Z",
"dateReserved": "2018-11-02T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5944 (GCVE-0-2017-5944)
Vulnerability from cvelistv5 – Published: 2017-07-03 16:00 – Updated: 2024-08-05 15:18
VLAI
Summary
The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://forum.bestpractical.com/t/security-vulner… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/99381 | vdb-entryx_refsource_BID |
| http://www.debian.org/security/2017/dsa-3882 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2017-06-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:49.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99381",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99381"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-05T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99381",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99381"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5944",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016",
"refsource": "CONFIRM",
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99381",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99381"
},
{
"name": "DSA-3882",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3882"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5944",
"datePublished": "2017-07-03T16:00:00.000Z",
"dateReserved": "2017-02-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T15:18:49.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5361 (GCVE-0-2017-5361)
Vulnerability from cvelistv5 – Published: 2017-07-03 16:00 – Updated: 2024-08-05 14:55
VLAI
Summary
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.debian.org/security/2017/dsa-3883 | vendor-advisoryx_refsource_DEBIAN |
| https://forum.bestpractical.com/t/security-vulner… | x_refsource_CONFIRM |
| http://www.debian.org/security/2017/dsa-3882 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2017-06-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3883",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3883"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-03T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3883",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3883"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5361",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3883",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3883"
},
{
"name": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016",
"refsource": "CONFIRM",
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "DSA-3882",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3882"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5361",
"datePublished": "2017-07-03T16:00:00.000Z",
"dateReserved": "2017-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-05T14:55:35.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5943 (GCVE-0-2017-5943)
Vulnerability from cvelistv5 – Published: 2017-07-03 16:00 – Updated: 2024-08-05 15:18
VLAI
Summary
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://forum.bestpractical.com/t/security-vulner… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/99384 | vdb-entryx_refsource_BID |
| http://www.debian.org/security/2017/dsa-3882 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2017-06-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:48.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99384",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99384"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-05T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99384",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99384"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5943",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016",
"refsource": "CONFIRM",
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99384",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99384"
},
{
"name": "DSA-3882",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3882"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5943",
"datePublished": "2017-07-03T16:00:00.000Z",
"dateReserved": "2017-02-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T15:18:48.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6127 (GCVE-0-2016-6127)
Vulnerability from cvelistv5 – Published: 2017-07-03 16:00 – Updated: 2024-08-06 01:22
VLAI
Summary
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://forum.bestpractical.com/t/security-vulner… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/99375 | vdb-entryx_refsource_BID |
| http://www.debian.org/security/2017/dsa-3882 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2017-06-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:22:20.049Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99375",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99375"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-05T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99375",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99375"
},
{
"name": "DSA-3882",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3882"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016",
"refsource": "CONFIRM",
"url": "https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"
},
{
"name": "99375",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99375"
},
{
"name": "DSA-3882",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3882"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6127",
"datePublished": "2017-07-03T16:00:00.000Z",
"dateReserved": "2016-06-29T00:00:00.000Z",
"dateUpdated": "2024-08-06T01:22:20.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6506 (GCVE-0-2015-6506)
Vulnerability from cvelistv5 – Published: 2015-09-03 14:00 – Updated: 2024-08-06 07:22
VLAI
Summary
Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://bestpractical.com/release-notes/rt/4.2.12 | x_refsource_CONFIRM |
| http://blog.bestpractical.com/2015/08/security-vu… | x_refsource_CONFIRM |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://www.debian.org/security/2015/dsa-3335 | vendor-advisoryx_refsource_DEBIAN |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| https://github.com/bestpractical/rt/commit/36a461… | x_refsource_CONFIRM |
Date Public
2015-08-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bestpractical.com/release-notes/rt/4.2.12"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"
},
{
"name": "FEDORA-2015-13718",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html"
},
{
"name": "FEDORA-2015-13641",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html"
},
{
"name": "DSA-3335",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3335"
},
{
"name": "FEDORA-2015-13664",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-20T16:57:01.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bestpractical.com/release-notes/rt/4.2.12"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"
},
{
"name": "FEDORA-2015-13718",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html"
},
{
"name": "FEDORA-2015-13641",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html"
},
{
"name": "DSA-3335",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3335"
},
{
"name": "FEDORA-2015-13664",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-6506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bestpractical.com/release-notes/rt/4.2.12",
"refsource": "CONFIRM",
"url": "https://bestpractical.com/release-notes/rt/4.2.12"
},
{
"name": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html",
"refsource": "CONFIRM",
"url": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"
},
{
"name": "FEDORA-2015-13718",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html"
},
{
"name": "FEDORA-2015-13641",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html"
},
{
"name": "DSA-3335",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3335"
},
{
"name": "FEDORA-2015-13664",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html"
},
{
"name": "https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d",
"refsource": "CONFIRM",
"url": "https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2015-6506",
"datePublished": "2015-09-03T14:00:00.000Z",
"dateReserved": "2015-08-18T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:22:22.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5475 (GCVE-0-2015-5475)
Vulnerability from cvelistv5 – Published: 2015-08-14 18:00 – Updated: 2024-08-06 06:50
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://bestpractical.com/release-notes/rt/4.2.12 | x_refsource_CONFIRM |
| http://blog.bestpractical.com/2015/08/security-vu… | x_refsource_CONFIRM |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://www.debian.org/security/2015/dsa-3335 | vendor-advisoryx_refsource_DEBIAN |
| http://www.securityfocus.com/bid/76364 | vdb-entryx_refsource_BID |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
Date Public
2015-08-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:02.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bestpractical.com/release-notes/rt/4.2.12"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"
},
{
"name": "FEDORA-2015-13718",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html"
},
{
"name": "FEDORA-2015-13641",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html"
},
{
"name": "DSA-3335",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3335"
},
{
"name": "76364",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76364"
},
{
"name": "FEDORA-2015-13664",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-20T16:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bestpractical.com/release-notes/rt/4.2.12"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"
},
{
"name": "FEDORA-2015-13718",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html"
},
{
"name": "FEDORA-2015-13641",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html"
},
{
"name": "DSA-3335",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3335"
},
{
"name": "76364",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/76364"
},
{
"name": "FEDORA-2015-13664",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5475",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bestpractical.com/release-notes/rt/4.2.12",
"refsource": "CONFIRM",
"url": "https://bestpractical.com/release-notes/rt/4.2.12"
},
{
"name": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html",
"refsource": "CONFIRM",
"url": "http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"
},
{
"name": "FEDORA-2015-13718",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html"
},
{
"name": "FEDORA-2015-13641",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html"
},
{
"name": "DSA-3335",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3335"
},
{
"name": "76364",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/76364"
},
{
"name": "FEDORA-2015-13664",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5475",
"datePublished": "2015-08-14T18:00:00.000Z",
"dateReserved": "2015-07-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:02.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1464 (GCVE-0-2015-1464)
Vulnerability from cvelistv5 – Published: 2015-03-09 14:00 – Updated: 2024-08-06 04:47
VLAI
Summary
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://blog.bestpractical.com/2015/02/security-vu… | x_refsource_CONFIRM |
| http://www.debian.org/security/2015/dsa-3176 | vendor-advisoryx_refsource_DEBIAN |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
Date Public
2015-02-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:16.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "DSA-3176",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-04-08T17:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "DSA-3176",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1464",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html",
"refsource": "CONFIRM",
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "DSA-3176",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1464",
"datePublished": "2015-03-09T14:00:00.000Z",
"dateReserved": "2015-02-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:47:16.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9472 (GCVE-0-2014-9472)
Vulnerability from cvelistv5 – Published: 2015-03-09 14:00 – Updated: 2024-08-06 13:47
VLAI
Summary
The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://blog.bestpractical.com/2015/02/security-vu… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/72832 | vdb-entryx_refsource_BID |
| http://www.debian.org/security/2015/dsa-3176 | vendor-advisoryx_refsource_DEBIAN |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
Date Public
2015-02-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:47:40.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "72832",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72832"
},
{
"name": "DSA-3176",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-04-08T17:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "72832",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72832"
},
{
"name": "DSA-3176",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9472",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html",
"refsource": "CONFIRM",
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "72832",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72832"
},
{
"name": "DSA-3176",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9472",
"datePublished": "2015-03-09T14:00:00.000Z",
"dateReserved": "2015-01-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T13:47:40.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1165 (GCVE-0-2015-1165)
Vulnerability from cvelistv5 – Published: 2015-03-09 14:00 – Updated: 2024-08-06 04:33
VLAI
Summary
RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://blog.bestpractical.com/2015/02/security-vu… | x_refsource_CONFIRM |
| http://www.debian.org/security/2015/dsa-3176 | vendor-advisoryx_refsource_DEBIAN |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
Date Public
2015-02-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:33:20.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "DSA-3176",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-04-08T17:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "DSA-3176",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html",
"refsource": "CONFIRM",
"url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"
},
{
"name": "DSA-3176",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3176"
},
{
"name": "FEDORA-2015-4698",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"
},
{
"name": "FEDORA-2015-4666",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1165",
"datePublished": "2015-03-09T14:00:00.000Z",
"dateReserved": "2015-01-17T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:33:20.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3737 (GCVE-0-2013-3737)
Vulnerability from cvelistv5 – Published: 2014-11-16 02:00 – Updated: 2024-08-06 16:22
VLAI
Summary
The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.osvdb.org/94280 | vdb-entryx_refsource_OSVDB |
| http://lists.bestpractical.com/pipermail/rt-annou… | mailing-listx_refsource_MLIST |
| http://secunia.com/advisories/53799 | third-party-advisoryx_refsource_SECUNIA |
Date Public
2013-06-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:22:00.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94280",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/94280"
},
{
"name": "[rt-announce] 20130612 Security vulnerability in RT::Extension::MobileUI",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2013-June/000230.html"
},
{
"name": "53799",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/53799"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-06-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-16T01:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94280",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/94280"
},
{
"name": "[rt-announce] 20130612 Security vulnerability in RT::Extension::MobileUI",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2013-June/000230.html"
},
{
"name": "53799",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/53799"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94280",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/94280"
},
{
"name": "[rt-announce] 20130612 Security vulnerability in RT::Extension::MobileUI",
"refsource": "MLIST",
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2013-June/000230.html"
},
{
"name": "53799",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/53799"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3737",
"datePublished": "2014-11-16T02:00:00.000Z",
"dateReserved": "2013-05-31T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:22:00.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1474 (GCVE-0-2014-1474)
Vulnerability from cvelistv5 – Published: 2014-07-15 14:00 – Updated: 2024-08-06 09:42
VLAI
Summary
Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://blog.bestpractical.com/2014/01/security-vu… | x_refsource_CONFIRM |
| https://metacpan.org/changes/release/ALEXMV/Email… | x_refsource_CONFIRM |
| http://lists.bestpractical.com/pipermail/rt-annou… | mailing-listx_refsource_MLIST |
Date Public
2014-01-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:35.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.bestpractical.com/2014/01/security-vulnerability-in-rt-42.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://metacpan.org/changes/release/ALEXMV/Email-Address-List-0.02"
},
{
"name": "[rt-announce] 20140612 RT 4.2.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2014-June/000257.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-15T11:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.bestpractical.com/2014/01/security-vulnerability-in-rt-42.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://metacpan.org/changes/release/ALEXMV/Email-Address-List-0.02"
},
{
"name": "[rt-announce] 20140612 RT 4.2.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2014-June/000257.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1474",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.bestpractical.com/2014/01/security-vulnerability-in-rt-42.html",
"refsource": "CONFIRM",
"url": "http://blog.bestpractical.com/2014/01/security-vulnerability-in-rt-42.html"
},
{
"name": "https://metacpan.org/changes/release/ALEXMV/Email-Address-List-0.02",
"refsource": "CONFIRM",
"url": "https://metacpan.org/changes/release/ALEXMV/Email-Address-List-0.02"
},
{
"name": "[rt-announce] 20140612 RT 4.2.5 released",
"refsource": "MLIST",
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2014-June/000257.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1474",
"datePublished": "2014-07-15T14:00:00.000Z",
"dateReserved": "2014-01-16T00:00:00.000Z",
"dateUpdated": "2024-08-06T09:42:35.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3736 (GCVE-0-2013-3736)
Vulnerability from cvelistv5 – Published: 2014-05-05 17:00 – Updated: 2024-08-06 16:22
VLAI
Summary
Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the name of an attached file.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://lists.bestpractical.com/pipermail/rt-annou… | mailing-listx_refsource_MLIST |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://osvdb.org/94281 | vdb-entryx_refsource_OSVDB |
| http://secunia.com/advisories/53799 | third-party-advisoryx_refsource_SECUNIA |
Date Public
2013-06-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:22:00.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rt-announce] 20130612 Security vulnerability in RT::Extension::MobileUI",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2013-June/000230.html"
},
{
"name": "rtextensionmobileui-cve20133736-xss(84963)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84963"
},
{
"name": "94281",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/94281"
},
{
"name": "53799",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/53799"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-06-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the name of an attached file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[rt-announce] 20130612 Security vulnerability in RT::Extension::MobileUI",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2013-June/000230.html"
},
{
"name": "rtextensionmobileui-cve20133736-xss(84963)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84963"
},
{
"name": "94281",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/94281"
},
{
"name": "53799",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/53799"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the name of an attached file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rt-announce] 20130612 Security vulnerability in RT::Extension::MobileUI",
"refsource": "MLIST",
"url": "http://lists.bestpractical.com/pipermail/rt-announce/2013-June/000230.html"
},
{
"name": "rtextensionmobileui-cve20133736-xss(84963)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84963"
},
{
"name": "94281",
"refsource": "OSVDB",
"url": "http://osvdb.org/94281"
},
{
"name": "53799",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/53799"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3736",
"datePublished": "2014-05-05T17:00:00.000Z",
"dateReserved": "2013-05-31T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:22:00.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}