PRIOn knowledge basePRION:CVE-2012-4733

HistoryAug 23, 2013 - 4:55 p.m.

Cross site request forgery (csrf)

2013-08-2316:55:00

PRIOn knowledge base

www.prio-n.com

6.6 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

68.2%

JSON

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and “custom lifecycle transition” permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors.

CPENameOperatorVersion
rteq4.0.12
rteq4.0.0 rc4
rteq4.0.11
rteq4.0.3
rteq4.0.0 rc7
rteq4.0.1
rteq4.0.0 rc3
rteq4.0.0 rc8
rteq4.0.0 rc6
rteq4.0.1 rc1

Name	Operator	Version
rt	eq	4.0.12
rt	eq	4.0.0 rc4
rt	eq	4.0.11
rt	eq	4.0.3
rt	eq	4.0.0 rc7
rt	eq	4.0.1
rt	eq	4.0.0 rc3
rt	eq	4.0.0 rc8
rt	eq	4.0.0 rc6
rt	eq	4.0.1 rc1

Rows per page:

1-10 of 191

References

lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html

lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html

secunia.com/advisories/53522

www.osvdb.org/93611