CVE-2022-25802 — Cross-site Scripting in Request Tracker

CWE-79 — Cross-site Scripting8 documents5 sources

Severity

6.1MEDIUMNVD

OSV7.5

EPSS

0.8%

top 26.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bestpractical Request Tracker Debian Request-tracker4 Debian Request-tracker5

Timeline

PublishedJul 14

Latest updateAug 13

Description

Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDbestpractical/request_tracker5.0.0 — 5.0.3+1

▶debiandebian/request-tracker4< request-tracker4 4.4.6+dfsg-1 (bookworm)

▶debiandebian/request-tracker5< request-tracker4 4.4.6+dfsg-1 (bookworm)

Patches

Patch: docs.bestpractical.com ↗Patch: docs.bestpractical.com ↗Patch: docs.bestpractical.com ↗

🔴Vulnerability Details

OSV

request-tracker5 vulnerabilities↗2025-08-13

▶

OSV

request-tracker4 vulnerabilities↗2023-12-04

▶

GHSA

GHSA-q26c-cxjj-m3hx: Best Practical Request Tracker (RT) before 4↗2022-07-15

▶

OSV

CVE-2022-25802: Best Practical Request Tracker (RT) before 4↗2022-07-14

▶

📋Vendor Advisories

Ubuntu

Request Tracker vulnerabilities↗2025-08-13

▶

Ubuntu

Request Tracker vulnerabilities↗2023-12-04

▶

Debian

CVE-2022-25802: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS...↗2022

▶