Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-3525 — SQL Injection in Request Tracker

CWE-89 — SQL Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

1.5%

top 18.65%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Bestpractical Request Tracker

Timeline

PublishedMay 10

Latest updateMay 17

Description

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDbestpractical/request_tracker4.0.9+23

🔴Vulnerability Details

GHSA

GHSA-74vr-hr74-r4mf: ** DISPUTED ** SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4↗2022-05-17

▶

OSV

CVE-2013-3525: ** DISPUTED ** SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4↗2013-05-10

▶

💥Exploits & PoCs

Exploit-DB

Request Tracker - 'ShowPending' SQL Injection↗2013-04-11

▶