CVE-2013-3370

CVE-2013-3370 affects Request Tracker (RT) 3.8.x prior to 3.8.17 and 4.0.x prior to 4.0.13. The flaw is failure to properly restrict access to private callback components, allowing remote attackers to trigger an unspecified impact via a direct request. The connected documents consistently describ...

CVE-2013-3371

Cross-site scripting XSS vulnerability in Request Tracker RT 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an attachment...

CVE-2013-3369

CVE-2013-3369 affects Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13. The flaw allows remote authenticated users who have permission to view administration pages to execute arbitrary private components via unspecified vectors. The available connected sources corroborate the affe...

CVE-2013-3368

The CVE-2013-3368 entry concerns RT (Request Tracker) where bin/rt in RT 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name. Connected documents reiterate this exact description across multip...

CVE-2012-6580

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditin...

CVE-2012-6579

The CVE-2012-6579 entry concerns Best Practical Solutions RT affected versions: RT 3.8.x before 3.8.15 and RT 4.0.x before 4.0.8, where enabling GnuPG allows remote attackers to configure encryption or signing for outbound e‑mail by sending a message to a queue address, potentially causing a deni...

CVE-2012-6580

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditin...

CVE-2012-6579

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly cause a denial of service loss of e-mail readability, via an e-mail message to a queue's address...

CVE-2012-6580

CVE-2012-6580 affects Best Practical Solutions RT: RT 3.8.x before 3.8.15 and RT 4.0.x before 4.0.8, with GnuPG enabled. The issue is that the UI may not label unencrypted messages as unencrypted, which could allow remote attackers to spoof a message’s origin or interfere with encryption-policy a...

CVE-2012-6581

Best Practical Solutions RT: Affected versions are RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8 with GnuPG enabled. The vulnerability lets remote attackers bypass restrictions on reading keys in the keyring and trigger outbound e‑mail messages signed by an arbitrary stored secret key by abusing ...

RT -- multiple vulnerabilities

Thomas Sibley reports: We discovered a number of security vulnerabilities which affect both RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0. The vulnerabilities address...

CVE-2012-4730

CVE-2012-4730 affects Best Practical Solutions’ Request Tracker (RT), specifically versions 3.8.x before 3.8.15 and 4.0.x before 4.0.8. The public description in the connected sources states that remote authenticated users who have ModifySelf or AdminUser privileges can inject arbitrary email hea...