MidnightBSD

Advisories for bestpractical

CVE-2009-3892 MEDIUM

Cross-site scripting (XSS) vulnerability in Best Practical Solutions RT 3.6.x before 3.6.9, 3.8.x before 3.8.5, and other 3.4.6 through 3.8.4 versions allows remote attackers to inject arbitrary web script or HTML via certain Custom Fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical rt 3.4.6
bestpractical rt 3.6.8
bestpractical rt 3.6.1
bestpractical rt 3.6.4
bestpractical rt 3.6.0
bestpractical rt 3.6.5
bestpractical rt 3.6.2
bestpractical rt 3.8.1
bestpractical rt 3.8.4
bestpractical rt 3.8.2
bestpractical rt 3.6.6
bestpractical rt 3.6.3
bestpractical rt 3.8.3
bestpractical rt 3.6.7
bestpractical rt 3.8.0
CVE-2011-0009 MEDIUM

Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.7.5
bestpractical rt 3.6.0
bestpractical rt *
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.7.1
bestpractical rt 3.0.1
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.5.2
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.5.6
bestpractical rt 3.6.3
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.5.1
bestpractical rt 3.8.5
bestpractical rt 3.1.3
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.7.80
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.7.85
bestpractical rt 3.0.12
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.7.86
bestpractical rt 3.1.16
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-1007 LOW

Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.4.5
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.6.0
bestpractical rt *
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 2.0.6
bestpractical rt 2.0.11
bestpractical rt 2.0.12
bestpractical rt 1.0.1
bestpractical rt 3.0.1
bestpractical rt 2.0.15
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 1.0.2
bestpractical rt 1.0.4
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 1.0.3
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 2.0.3
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 2.0.8.2
bestpractical rt 2.0.0
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 2.0.5
bestpractical rt 2.0.2
bestpractical rt 3.6.3
bestpractical rt 2.0.9
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 2.0.1
bestpractical rt 3.8.5
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 2.0.4
bestpractical rt 3.2.0
bestpractical rt 2.0.7
bestpractical rt 3.8.4
bestpractical rt 2.0.5.3
bestpractical rt 1.0.5
bestpractical rt 2.0.8
bestpractical rt 3.0.12
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.8.7
bestpractical rt 1.0.6
bestpractical rt 2.0.13
bestpractical rt 1.0.7
bestpractical rt 2.0.5.1
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 1.0.0
bestpractical rt 3.8.3
bestpractical rt 3.2.1
bestpractical rt 2.0.14
bestpractical rt 3.0.0
CVE-2011-1008 MEDIUM

Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.4.5
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.6.0
bestpractical rt *
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 2.0.6
bestpractical rt 2.0.11
bestpractical rt 2.0.12
bestpractical rt 1.0.1
bestpractical rt 3.0.1
bestpractical rt 2.0.15
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 1.0.2
bestpractical rt 1.0.4
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 1.0.3
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 2.0.3
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 2.0.8.2
bestpractical rt 2.0.0
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 2.0.5
bestpractical rt 2.0.2
bestpractical rt 3.6.3
bestpractical rt 2.0.9
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 2.0.1
bestpractical rt 3.8.5
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 2.0.4
bestpractical rt 3.2.0
bestpractical rt 2.0.7
bestpractical rt 3.8.4
bestpractical rt 2.0.5.3
bestpractical rt 1.0.5
bestpractical rt 2.0.8
bestpractical rt 3.0.12
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.8.7
bestpractical rt 1.0.6
bestpractical rt 2.0.13
bestpractical rt 1.0.7
bestpractical rt 2.0.5.1
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 1.0.0
bestpractical rt 3.8.3
bestpractical rt 3.2.1
bestpractical rt 2.0.14
bestpractical rt 3.0.0
CVE-2011-1685 MEDIUM

Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
bestpractical rt 3.8.2
bestpractical rt 3.8.6
bestpractical rt 3.8.7
bestpractical rt 4.0.0
bestpractical rt 3.8.3
bestpractical rt 3.8.0
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.8.1
bestpractical rt 3.8.5
bestpractical rt 3.8.4
CVE-2011-1686 MEDIUM

Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.4.5
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 2.0.6
bestpractical rt 2.0.11
bestpractical rt 2.0.12
bestpractical rt 3.0.1
bestpractical rt 2.0.15
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 4.0.0
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 2.0.3
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 2.0.8.2
bestpractical rt 2.0.0
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 2.0.5
bestpractical rt 2.0.2
bestpractical rt 3.6.3
bestpractical rt 2.0.9
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 2.0.1
bestpractical rt 3.8.5
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 2.0.4
bestpractical rt 3.2.0
bestpractical rt 2.0.7
bestpractical rt 3.8.4
bestpractical rt 2.0.5.3
bestpractical rt 2.0.8
bestpractical rt 3.0.12
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.8.7
bestpractical rt 2.0.13
bestpractical rt 2.0.5.1
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.8.3
bestpractical rt 3.2.1
bestpractical rt 2.0.14
bestpractical rt 3.0.0
CVE-2011-1687 MEDIUM

Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.4.5
bestpractical rt 3.4.6
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.2.3
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.0.1
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 4.0.0
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.0.12
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.0.10
bestpractical rt 3.8.7
bestpractical rt 3.6.1
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.8.1
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.4.3
bestpractical rt 3.0.7.1
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.6.3
bestpractical rt 3.8.3
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.8.5
CVE-2011-1688 MEDIUM

Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote attackers to read arbitrary files via a crafted HTTP request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
bestpractical rt 3.4.5
bestpractical rt 3.4.6
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.2.3
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.4.4
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 4.0.0
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.8.7
bestpractical rt 3.6.1
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.8.1
bestpractical rt 3.4.1
bestpractical rt 3.4.3
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.6.3
bestpractical rt 3.8.3
bestpractical rt 3.2.1
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.8.5
CVE-2011-1689 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.4.5
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 2.0.6
bestpractical rt 2.0.11
bestpractical rt 2.0.12
bestpractical rt 3.0.1
bestpractical rt 2.0.15
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 4.0.0
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 2.0.3
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 2.0.8.2
bestpractical rt 2.0.0
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 2.0.5
bestpractical rt 2.0.2
bestpractical rt 3.6.3
bestpractical rt 2.0.9
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 2.0.1
bestpractical rt 3.8.5
bestpractical rt 3.6.8
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 2.0.4
bestpractical rt 3.2.0
bestpractical rt 2.0.7
bestpractical rt 3.8.4
bestpractical rt 2.0.5.3
bestpractical rt 2.0.8
bestpractical rt 3.0.12
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.8.7
bestpractical rt 2.0.13
bestpractical rt 2.0.5.1
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.8.3
bestpractical rt 3.2.1
bestpractical rt 2.0.14
bestpractical rt 3.0.0
CVE-2011-1690 MEDIUM

Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to trick users into sending credentials to an arbitrary server via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
bestpractical rt 3.8.7
bestpractical rt 3.6.8
bestpractical rt 3.6.1
bestpractical rt 3.6.4
bestpractical rt 3.6.9
bestpractical rt 3.6.10
bestpractical rt 3.6.0
bestpractical rt 3.6.5
bestpractical rt 3.6.2
bestpractical rt 3.8.1
bestpractical rt 3.8.4
bestpractical rt 3.8.2
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.6.3
bestpractical rt 3.8.3
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.8.8
bestpractical rt 3.8.5
CVE-2011-2082 MEDIUM

The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 4.0.3
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.7.5
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.7.1
bestpractical rt 3.0.1
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.5.2
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 4.0.5
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.5.6
bestpractical rt 3.6.3
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.5.1
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 3.1.3
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.7.80
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.7.85
bestpractical rt 3.0.12
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.7.86
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-2083 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 4.0.3
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.7.5
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.7.1
bestpractical rt 3.0.1
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.5.2
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 4.0.5
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.5.6
bestpractical rt 3.6.3
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.5.1
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 3.1.3
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.7.80
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.7.85
bestpractical rt 3.0.12
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.7.86
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-2084 MEDIUM

Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to read (1) hashes of former passwords and (2) ticket correspondence history by leveraging access to a privileged account.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 4.0.3
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.7.5
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.7.1
bestpractical rt 3.0.1
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.5.2
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 4.0.5
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.5.6
bestpractical rt 3.6.3
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.5.1
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 3.1.3
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.7.80
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.7.85
bestpractical rt 3.0.12
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.7.86
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-2085 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 3.5.4
bestpractical rt 3.2.3
bestpractical rt 3.6.0
bestpractical rt 3.4.4
bestpractical rt 2.0.6
bestpractical rt 2.0.11
bestpractical rt 1.0.1
bestpractical rt 3.0.1
bestpractical rt 2.0.15
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 1.0.2
bestpractical rt 3.5.3
bestpractical rt 1.0.4
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 2.0.8.2
bestpractical rt 2.0.0
bestpractical rt 3.6.6
bestpractical rt 2.0.5
bestpractical rt 2.0.9
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 2.0.1
bestpractical rt 3.5.1
bestpractical rt 3.8.10
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.7.80
bestpractical rt 2.0.4
bestpractical rt 3.8.4
bestpractical rt 1.0.5
bestpractical rt 3.0.12
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 2.0.13
bestpractical rt 1.0.7
bestpractical rt 2.0.5.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7.1
bestpractical rt 1.0.0
bestpractical rt 3.0.0
bestpractical rt 4.0.3
bestpractical rt 3.4.6
bestpractical rt 3.7.5
bestpractical rt *
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 2.0.12
bestpractical rt 3.7.1
bestpractical rt 3.4.0
bestpractical rt 3.5.2
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.5
bestpractical rt 1.0.3
bestpractical rt 3.6.9
bestpractical rt 2.0.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.5.6
bestpractical rt 2.0.2
bestpractical rt 3.6.3
bestpractical rt 3.8.5
bestpractical rt 3.1.3
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.2.0
bestpractical rt 2.0.7
bestpractical rt 2.0.5.3
bestpractical rt 2.0.8
bestpractical rt 3.7.85
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.7.86
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 1.0.6
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 2.0.14
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-4458 MEDIUM

Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VERPPrefix and VERPDomain options are enabled, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-5092 and CVE-2011-5093.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.6.4
bestpractical rt 3.7.5
bestpractical rt 3.6.10
bestpractical rt 3.6.0
bestpractical rt 4.0.1
bestpractical rt 3.6.2
bestpractical rt 3.7.80
bestpractical rt 3.7.1
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.7.85
bestpractical rt 3.8.8
bestpractical rt 3.8.9
bestpractical rt 3.7.86
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.6.1
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.6.3
bestpractical rt 3.8.3
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
CVE-2011-4459 LOW

Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not properly disable groups, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a group membership.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 4.0.3
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.7.5
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.7.1
bestpractical rt 3.0.1
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.5.2
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 4.0.5
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.5.6
bestpractical rt 3.6.3
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.5.1
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 3.1.3
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.7.80
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.7.85
bestpractical rt 3.0.12
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.7.86
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-4460 MEDIUM

SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to execute arbitrary SQL commands by leveraging access to a privileged account.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 3.5.4
bestpractical rt 3.2.3
bestpractical rt 3.6.0
bestpractical rt 3.4.4
bestpractical rt 2.0.6
bestpractical rt 2.0.11
bestpractical rt 3.0.1
bestpractical rt 2.0.15
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.0.10
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 2.0.8.2
bestpractical rt 2.0.0
bestpractical rt 3.6.6
bestpractical rt 2.0.5
bestpractical rt 2.0.9
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 2.0.1
bestpractical rt 3.5.1
bestpractical rt 3.8.10
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.7.80
bestpractical rt 2.0.4
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.0.12
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 2.0.13
bestpractical rt 2.0.5.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7.1
bestpractical rt 3.0.0
bestpractical rt 4.0.3
bestpractical rt 3.4.6
bestpractical rt 3.7.5
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 2.0.12
bestpractical rt 3.7.1
bestpractical rt 3.4.0
bestpractical rt 3.5.2
bestpractical rt 3.8.9
bestpractical rt 4.0.5
bestpractical rt 3.6.9
bestpractical rt 2.0.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.5.6
bestpractical rt 2.0.2
bestpractical rt 3.6.3
bestpractical rt 3.8.5
bestpractical rt 3.1.3
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.2.0
bestpractical rt 2.0.7
bestpractical rt 2.0.5.3
bestpractical rt 2.0.8
bestpractical rt 3.7.85
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.7.86
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.0.7
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 2.0.14
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-5092 HIGH

Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
bestpractical rt 3.0.4
bestpractical rt 3.1.11
bestpractical rt 3.4.5
bestpractical rt 4.0.3
bestpractical rt 3.5.4
bestpractical rt 3.4.6
bestpractical rt 3.2.3
bestpractical rt 3.7.5
bestpractical rt 3.6.0
bestpractical rt 3.6.2
bestpractical rt 3.0.2
bestpractical rt 3.4.4
bestpractical rt 3.7.1
bestpractical rt 3.0.1
bestpractical rt 3.1.13
bestpractical rt 3.8.2
bestpractical rt 3.4.0
bestpractical rt 3.5.7
bestpractical rt 4.0.0
bestpractical rt 3.5.3
bestpractical rt 3.0.11
bestpractical rt 3.0.5
bestpractical rt 3.5.2
bestpractical rt 3.2.2
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 3.0.10
bestpractical rt 4.0.5
bestpractical rt 3.6.1
bestpractical rt 3.1.5
bestpractical rt 3.6.9
bestpractical rt 3.6.5
bestpractical rt 3.0.9
bestpractical rt 3.1.15
bestpractical rt 3.8.1
bestpractical rt 3.4.3
bestpractical rt 3.1.4
bestpractical rt 3.8.6
bestpractical rt 3.6.6
bestpractical rt 3.5.6
bestpractical rt 3.6.3
bestpractical rt 3.1.8
bestpractical rt 3.6.7
bestpractical rt 3.8.0
bestpractical rt 3.5.1
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 3.1.3
bestpractical rt 3.6.8
bestpractical rt 4.0.4
bestpractical rt 3.6.4
bestpractical rt 3.4.2
bestpractical rt 3.6.10
bestpractical rt 4.0.1
bestpractical rt 3.7.80
bestpractical rt 3.2.0
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.7.85
bestpractical rt 3.0.12
bestpractical rt 3.1.6
bestpractical rt 3.5.5
bestpractical rt 3.0.6
bestpractical rt 3.0.3
bestpractical rt 3.7.86
bestpractical rt 4.0.2
bestpractical rt 3.1.16
bestpractical rt 3.8.7
bestpractical rt 3.1.2
bestpractical rt 3.0.8
bestpractical rt 3.4.1
bestpractical rt 3.4.7
bestpractical rt 3.0.7
bestpractical rt 3.0.7.1
bestpractical rt 3.1.7
bestpractical rt 3.8.3
bestpractical rt 3.1.14
bestpractical rt 3.1.17
bestpractical rt 3.2.1
bestpractical rt 3.0.0
bestpractical rt 3.1.12
bestpractical rt 3.1.10
CVE-2011-5093 MEDIUM

Best Practical Solutions RT 4.x before 4.0.6 does not properly implement the DisallowExecuteCode option, which allows remote authenticated users to bypass intended access restrictions and execute arbitrary code by leveraging access to a privileged account, a different vulnerability than CVE-2011-4458 and CVE-2011-5092.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
bestpractical rt 4.0.2
bestpractical rt 4.0.3
bestpractical rt 4.0.0
bestpractical rt 4.0.5
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 3.8.12
CVE-2012-6578 MEDIUM

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote attackers to spoof messages by leveraging the lack of authentication semantics.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 3.8.7
bestpractical request_tracker 3.8.13
bestpractical request_tracker 3.8.3
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.1
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 3.8.14
bestpractical request_tracker 3.8.4
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.0.2
bestpractical request_tracker 3.8.12
CVE-2012-6579 MEDIUM

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly cause a denial of service (loss of e-mail readability), via an e-mail message to a queue's address.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 3.8.7
bestpractical request_tracker 3.8.13
bestpractical request_tracker 3.8.3
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.1
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 3.8.14
bestpractical request_tracker 3.8.4
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.0.2
bestpractical request_tracker 3.8.12
CVE-2012-6580 MEDIUM

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditing via an e-mail message to a queue's address.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 3.8.7
bestpractical request_tracker 3.8.13
bestpractical request_tracker 3.8.3
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.1
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 3.8.14
bestpractical request_tracker 3.8.4
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.0.2
bestpractical request_tracker 3.8.12
CVE-2012-6581 MEDIUM

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail messages signed by an arbitrary stored secret key, by leveraging a UI e-mail signing privilege.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 3.8.7
bestpractical request_tracker 3.8.13
bestpractical request_tracker 3.8.3
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.1
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 3.8.14
bestpractical request_tracker 3.8.4
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.0.2
bestpractical request_tracker 3.8.12
CVE-2013-3368 LOW

bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with predictable name.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3369 MEDIUM

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3370 MEDIUM

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a direct request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3371 MEDIUM

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an attachment.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3372 MEDIUM

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3373 MEDIUM

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3374 MEDIUM

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive information (user preferences and caches) via unknown vectors, related to a "limited session re-use."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
bestpractical rt 4.0.3
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 3.8.13
bestpractical rt 3.8.4
bestpractical rt 3.8.11
bestpractical rt 3.8.2
bestpractical rt 4.0.0
bestpractical rt 3.8.8
bestpractical rt 3.8.12
bestpractical rt 3.8.9
bestpractical rt 4.0.6
bestpractical rt 4.0.2
bestpractical rt 3.8.7
bestpractical rt 4.0.5
bestpractical rt 3.8.16
bestpractical rt 3.8.14
bestpractical rt 3.8.1
bestpractical rt 3.8.6
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 3.8.15
bestpractical rt 4.0.9
bestpractical rt 3.8.3
bestpractical rt 4.0.8
bestpractical rt 3.8.0
bestpractical rt 3.8.5
bestpractical rt 3.8.10
bestpractical rt 4.0.7
CVE-2013-3525 HIGH

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker *
bestpractical request_tracker 3.6.8
bestpractical request_tracker 3.8.7
bestpractical request_tracker 3.8.13
bestpractical request_tracker 3.8.3
bestpractical request_tracker 3.8.16
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.0.1
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 3.8.14
bestpractical request_tracker 3.8.4
bestpractical request_tracker 4.0.2
bestpractical request_tracker 3.8.12
bestpractical request_tracker 3.6.11
bestpractical request_tracker 3.6.10
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 3.8.15
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.0.5
CVE-2013-3736 MEDIUM

Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the name of an attached file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.0.1
bestpractical rt-extension-mobileui *
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.0.2
CVE-2013-3737 MEDIUM

The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.0.1
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.0.2
CVE-2013-5587 LOW

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical rt 4.0.2
bestpractical rt 4.0.3
bestpractical rt 4.0.5
bestpractical rt 4.0.4
bestpractical rt 4.0.1
bestpractical rt 4.0.11
bestpractical rt 4.0.0
bestpractical rt 4.0.12
bestpractical rt 4.0.10
bestpractical rt 4.0.9
bestpractical rt 4.0.8
bestpractical rt 4.0.6
bestpractical rt 4.0.7
CVE-2014-1474 MEDIUM

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
bestpractical rt 4.2.0
bestpractical rt 4.2.2
bestpractical rt 4.2.1
email::address::list_project email::address::list *
CVE-2014-9472 HIGH

The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.2.4
bestpractical request_tracker 3.8.7
bestpractical request_tracker 3.8.3
bestpractical request_tracker 3.8.16
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.0.16
bestpractical request_tracker 4.2.8
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.0.14
fedoraproject fedora 22
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.2.3
bestpractical request_tracker 3.8.4
bestpractical request_tracker 4.0.9
bestpractical request_tracker 3.6.11
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.0.19
bestpractical request_tracker 4.0.17
bestpractical request_tracker 3.6.10
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.15
bestpractical request_tracker 3.8.15
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.2.7
fedoraproject fedora 21
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.0.20
bestpractical request_tracker 3.6.8
bestpractical request_tracker 3.8.13
bestpractical request_tracker 4.0.3
bestpractical request_tracker 3.8.17
bestpractical request_tracker 4.2.9
bestpractical request_tracker 4.0.1
bestpractical request_tracker 3.8.14
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.2
bestpractical request_tracker 4.0.22
bestpractical request_tracker 4.2.2
bestpractical request_tracker 3.8.12
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.0.18
bestpractical request_tracker 4.0.13
bestpractical request_tracker 4.0.21
debian debian_linux 7.0
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.0.5
CVE-2015-1165 MEDIUM

RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.2.4
bestpractical request_tracker 4.0.20
bestpractical request_tracker 3.8.13
bestpractical request_tracker 3.8.16
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.0.16
bestpractical request_tracker 4.2.8
bestpractical request_tracker 3.8.17
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.2.9
bestpractical request_tracker 4.0.1
bestpractical request_tracker 4.0.14
fedoraproject fedora 22
bestpractical request_tracker 3.8.9
bestpractical request_tracker 3.8.10
bestpractical request_tracker 3.8.14
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.2.3
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.2
bestpractical request_tracker 4.0.22
bestpractical request_tracker 4.2.2
bestpractical request_tracker 3.8.12
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.0.18
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.0.13
bestpractical request_tracker 3.8.8
bestpractical request_tracker 4.0.19
bestpractical request_tracker 4.0.21
debian debian_linux 7.0
bestpractical request_tracker 4.0.17
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.15
bestpractical request_tracker 3.8.15
bestpractical request_tracker 3.8.11
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.2.7
fedoraproject fedora 21
CVE-2015-1464 MEDIUM

RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.2.4
bestpractical request_tracker *
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.2.8
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.2.9
fedoraproject fedora 22
bestpractical request_tracker 4.2.3
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.2.7
bestpractical request_tracker 4.2.2
fedoraproject fedora 21
CVE-2015-5475 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2015-6506 MEDIUM

Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2016-6127 MEDIUM

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.2.4
bestpractical request_tracker 4.0.20
bestpractical request_tracker 4.2.10
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.0.16
bestpractical request_tracker 4.2.8
bestpractical request_tracker 4.4.1
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.2.9
bestpractical request_tracker 4.0.1
bestpractical request_tracker 4.0.14
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.2.3
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.2.13
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.24
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.2
bestpractical request_tracker 4.0.22
bestpractical request_tracker 4.2.2
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.2.11
bestpractical request_tracker 4.2.12
bestpractical request_tracker 4.0.18
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.0.13
bestpractical request_tracker 4.0.19
bestpractical request_tracker 4.0.21
bestpractical request_tracker 4.4.0
bestpractical request_tracker 4.0.17
bestpractical request_tracker 4.0.23
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.15
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.2.7
CVE-2017-5361 MEDIUM

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.2.4
bestpractical request_tracker 4.0.20
bestpractical request_tracker 4.2.10
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.0.16
bestpractical request_tracker 4.2.8
bestpractical request_tracker 4.4.1
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.2.9
bestpractical request_tracker 4.0.1
bestpractical request_tracker 4.0.14
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.2.3
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.2.13
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.24
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.2
bestpractical request_tracker 4.0.22
bestpractical request_tracker 4.2.2
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.2.11
bestpractical request_tracker 4.2.12
bestpractical request_tracker 4.0.18
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.0.13
bestpractical request_tracker 4.0.19
bestpractical request_tracker 4.0.21
bestpractical request_tracker 4.4.0
bestpractical request_tracker 4.0.17
bestpractical request_tracker 4.0.23
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.15
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.2.7
CVE-2017-5943 MEDIUM

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.2.4
bestpractical request_tracker 4.0.20
bestpractical request_tracker 4.2.10
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.0.16
bestpractical request_tracker 4.2.8
bestpractical request_tracker 4.4.1
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.2.9
bestpractical request_tracker 4.0.1
bestpractical request_tracker 4.0.14
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.2.3
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.2.13
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.24
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.2
bestpractical request_tracker 4.0.22
bestpractical request_tracker 4.2.2
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.2.11
bestpractical request_tracker 4.2.12
bestpractical request_tracker 4.0.18
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.0.13
bestpractical request_tracker 4.0.19
bestpractical request_tracker 4.0.21
bestpractical request_tracker 4.4.0
bestpractical request_tracker 4.0.17
bestpractical request_tracker 4.0.23
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.15
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.2.7
CVE-2017-5944 MEDIUM

The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
bestpractical request_tracker 4.0.7
bestpractical request_tracker 4.2.4
bestpractical request_tracker 4.0.20
bestpractical request_tracker 4.2.10
bestpractical request_tracker 4.0.3
bestpractical request_tracker 4.2.0
bestpractical request_tracker 4.0.16
bestpractical request_tracker 4.2.8
bestpractical request_tracker 4.4.1
bestpractical request_tracker 4.0.8
bestpractical request_tracker 4.2.9
bestpractical request_tracker 4.0.1
bestpractical request_tracker 4.0.14
bestpractical request_tracker 4.0.12
bestpractical request_tracker 4.2.3
bestpractical request_tracker 4.2.5
bestpractical request_tracker 4.2.13
bestpractical request_tracker 4.0.9
bestpractical request_tracker 4.0.24
bestpractical request_tracker 4.0.10
bestpractical request_tracker 4.0.2
bestpractical request_tracker 4.0.22
bestpractical request_tracker 4.2.2
bestpractical request_tracker 4.0.11
bestpractical request_tracker 4.2.11
bestpractical request_tracker 4.2.12
bestpractical request_tracker 4.0.18
bestpractical request_tracker 4.2.6
bestpractical request_tracker 4.0.13
bestpractical request_tracker 4.0.19
bestpractical request_tracker 4.0.21
bestpractical request_tracker 4.4.0
bestpractical request_tracker 4.0.17
bestpractical request_tracker 4.0.23
bestpractical request_tracker 4.0.6
bestpractical request_tracker 4.0.4
bestpractical request_tracker 4.2.1
bestpractical request_tracker 4.0.0
bestpractical request_tracker 4.0.15
bestpractical request_tracker 4.0.5
bestpractical request_tracker 4.2.7
CVE-2018-18898 MEDIUM

The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
debian debian_linux 8.0
fedoraproject fedora 28
debian debian_linux 10.0
canonical ubuntu_linux 18.04
bestpractical request_tracker *
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2021-38562 MEDIUM

Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
debian debian_linux 9.0
bestpractical request_tracker *
fedoraproject fedora 35
CVE-2022-25800

Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
bestpractical request_tracker_for_incident_response *
CVE-2022-25801

Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
bestpractical request_tracker_for_incident_response *
CVE-2022-25802

Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2022-25803

Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2023-41259

Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2023-41260

Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2023-45024

Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2025-30087

Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2025-31500

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
cve@mitre.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

Products Affected

Vendor Product Version
bestpractical request_tracker *
CVE-2025-31501

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
cve@mitre.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

Products Affected

Vendor Product Version
bestpractical request_tracker *