CVE-2016-6127 — Cross-site Scripting in Request-tracker4

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 44.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Request-tracker4 Bestpractical Request Tracker

Timeline

PublishedJul 3

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶debiandebian/request-tracker4< request-tracker4 4.4.1-4 (bookworm)

▶NVDbestpractical/request_tracker41 versions+40

🔴Vulnerability Details

GHSA

GHSA-57pq-pp54-cgmc: Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4↗2022-05-17

▶

OSV

CVE-2016-6127: Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4↗2017-07-03

▶

📋Vendor Advisories

Debian

CVE-2016-6127: request-tracker4 - Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0....↗2016

▶

💬Community

Bugzilla

CVE-2016-6127 rt: Cross-site scripting via malicious file upload↗2017-07-26

▶

Bugzilla

CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944 rt: various flaws [fedora-all]↗2017-07-26

▶