27 matches found
CVE-2021-38562
CVE-2021-38562 affects Best Practical Request Tracker (RT) prior to specific fixed releases. A timing-attack vulnerability in lib/RT/REST2/Middleware/Auth.pm can disclose sensitive information. Affected RT versions include 4.2.x before 4.2.17, 4.4.x before 4.4.5, and 5.0.x before 5.0.2. Public ad...
CVE-2017-5943
CVE-2017-5943 affects Request Tracker (RT) 4.x series. A remote attacker can obtain CSRF verification tokens by sending a crafted URL, enabling leakage of token data. Affected versions include RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2. CVSS appears high (8.8) with network ...
CVE-2022-25802
CVE-2022-25802 details: Best Practical Request Tracker (RT) is vulnerable to a cross-site scripting (XSS) flaw when displaying an attachment, exploitable via a crafted content type. Affected versions are RT 4.4.0–4.4.6 and RT 5.x prior to 5.0.3. Public sources indicate upstream fixes/patches have...
CVE-2023-41259
CVE-2023-41259 affects Best Practical Request Tracker (RT) prior to 4.4.7 and RT 5.x prior to 5.0.5, allowing Information Disclosure via fake or spoofed RT email headers in an email message or in the mail-gateway REST API call. The underlying issue is unvalidated email headers accepted by RT, ena...
CVE-2023-41260
CVE-2023-41260 affects Best Practical Request Tracker (RT) prior to 4.4.7 and RT 5.x prior to 5.0.5, enabling information exposure in responses to mail-gateway REST API calls. Public references indicate fixes in RT 4.4.7 and RT 5.0.5, with Debian LTS patching RT 4.4.3-2+deb10u3. No exploitation d...
CVE-2018-18898
CVE-2018-18898 affects Best Practical Request Tracker (RT) email-ingestion, with versions 4.1.13 through 4.4 vulnerable to a DoS via an algorithmic complexity attack on email address parsing. The issue arises in the parsing component responsible for handling incoming email addresses, enabling rem...
CVE-2017-5944
The CVE-2017-5944 issue affects Best Practical Solutions RT 4.x, specifically versions before 4.0.25 (4.0.x), before 4.2.14 (4.2.x), and before 4.4.2 (4.4.x). The vulnerability arises in the dashboard subscription interface where a remote authenticated user with certain privileges can trigger arb...
CVE-2022-25803
The CVE-2022-25803 entry concerns Best Practical Request Tracker (RT) before 5.0.3, which is vulnerable to an Open Redirect via a ticket search. Public references note the issue as part of RT’s release notes for 5.0.3, indicating an in-product redirect vulnerability rather than a broader exploita...
CVE-2023-45024
CVE-2023-45024 affects Best Practical Request Tracker (RT) 5.x, with information disclosure via a transaction search in the transaction query builder. The vulnerability is associated with RT versions before 5.0.5, as cited in multiple sources (NVD entry for CVE-2023-45024 and related advisories)....
CVE-2017-5361
CVE-2017-5361 affects Request Tracker (RT) 4.x prior to 4.0.25, 4.2.x prior to 4.2.14, and 4.4.x prior to 4.4.2. Root cause: RT did not use a constant-time comparison for secrets, enabling remote timing side-channel observations to leak sensitive password information. Impact: partial confidential...
CVE-2015-1464
CVE-2015-1464 concerns Request Tracker (RT) session hijacking via an RSS feed URL. The vulnerability affects RT where RSS feed URLs could be exploited to log in as the user who created the feed. Affected are RT 4.0.x before 4.0.23 and RT 4.2.x before 4.2.10. Public advisories (Fedora, Debian) ind...
CVE-2025-30087
Best Practical RT (Request Tracker) is affected by CVE-2025-30087: versions 4.4 through 4.4.7 and 5.0 through 5.0.7 are vulnerable to cross-site scripting (XSS) via crafted parameters in a search URL. The connected documents confirm this vulnerability as an RT issue and reference release notes su...
CVE-2025-31501
Best Practical RT (Request Tracker) 5.0–5.0.7 is affected by an XSS vulnerability via JavaScript injection in an RT permalink. The issue is documented across multiple feeds as CVE-2025-31501 with exposure to remote users, and the impact described is cross-site scripting with low confidentiality/i...
CVE-2014-9472
The CVE-2014-9472 issue affects Best Practical Solutions RT (Request Tracker) versions 3.0.0–4.x up to 4.0.23 and 4.2.x up to 4.2.10, where the email gateway can be exploited by a crafted email to trigger a remote denial-of-service (CPU and disk usage). Connected advisories indicate this vulnerab...
CVE-2015-5475
CVE-2015-5475 affects Request Tracker (RT) 4.x up to 4.2.12. It exploits cross-site scripting via the user and group rights management pages, enabling remote attackers to inject arbitrary web script/HTML. The vulnerability is documented in multiple sources (NVD, Mageia/other advisories). The stat...
CVE-2025-31500
CVE-2025-31500 affects Best Practical RT (Request Tracker) 5.0–5.0.7, enabling cross-site scripting via JavaScript injection in an Asset name. The connected documents confirm the vulnerability and reference the RT 5.0.8 release, suggesting upgrading to 5.0.8 as remediation. No explicit exploit de...
CVE-2015-1165
CVE-2015-1165 affects RT (Request Tracker) 3.8.8 through RT 4.x up to 4.0.23 and 4.2.x up to 4.2.10, enabling remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. The connected advisories/documents indicate multiple vendors released security updates to addre...
CVE-2016-6127
CVE-2016-6127: In RT 4.x, an XSS vulnerability exists via file uploads when AlwaysDownloadAttachments is not enabled. Affected versions are RT 4.0.x up to 4.0.25, 4.2.x up to 4.2.14, and 4.4.x up to 4.4.2. Remote attackers can inject arbitrary web script/HTML through a file upload with an unspeci...
CVE-2015-6506
Summary: CVE-2015-6506 is a cross-site scripting (XSS) vulnerability in the Request Tracker (RT) cryptography interface, exploitable via a crafted public key in RT 4.x. Affected software: Request Tracker, versions before 4.2.12 (RT 4.x
CVE-2013-3736
CVE-2013-3736 is an XSS in MobileUI (RT-Extension-MobileUI) for Request Tracker (RT) 4.0.0 before 4.0.13 and MobileUI before 1.04. The flaw allows remote attackers to inject arbitrary web script or HTML via the name of an attached file. Affected components: MobileUI/RT-Extension-MobileUI; affecte...
CVE-2012-6578
CVE-2012-6578 affects Best Practical Solutions RT prior to 3.8.15 and 4.0.x prior to 4.0.8 when GnuPG signing is enabled with a "Sign by default" queue configuration. The flaw causes the system to sign messages using a queue’s key, enabling remote attackers to spoof messages due to missing authen...
CVE-2012-6579
The CVE-2012-6579 entry concerns Best Practical Solutions RT affected versions: RT 3.8.x before 3.8.15 and RT 4.0.x before 4.0.8, where enabling GnuPG allows remote attackers to configure encryption or signing for outbound e‑mail by sending a message to a queue address, potentially causing a deni...
CVE-2012-6581
Best Practical Solutions RT: Affected versions are RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8 with GnuPG enabled. The vulnerability lets remote attackers bypass restrictions on reading keys in the keyring and trigger outbound e‑mail messages signed by an arbitrary stored secret key by abusing ...
CVE-2012-6580
CVE-2012-6580 affects Best Practical Solutions RT: RT 3.8.x before 3.8.15 and RT 4.0.x before 4.0.8, with GnuPG enabled. The issue is that the UI may not label unencrypted messages as unencrypted, which could allow remote attackers to spoof a message’s origin or interfere with encryption-policy a...
CVE-2013-3525
CVE-2013-3525 affects Request Tracker (RT) versions 4.0.10 and earlier in the Approvals/ section, where a SQL injection via the ShowPending parameter could allow remote command execution. The issue is consistently described across sources as a SQL injection vulnerability; the vendor disputes repl...
CVE-2013-3737
The CVE-2013-3737 issue affects the MobileUI (RT-Extension-MobileUI) for Request Tracker (RT) installations. It concerns MobileUI >=?
CVE-2026-6841
The CVE-2026-6841 entry describes a reflected cross-site scripting (XSS) vulnerability in Request Tracker (RT) that is triggered via the Page parameter in GET requests, allowing arbitrary JavaScript execution in the victim’s browser. Affected RT versions are 5.0.4–5.0.9 and 6.0.0–6.0.2. The vulne...