CVE-2025-30087Cross-site Scripting in Request Tracker

CWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
OSV7.5
EPSS
0.3%
top 45.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Bestpractical RTBestpractical Request TrackerDebian Request-tracker4+1 more
Timeline
PublishedMay 28
Latest updateAug 13

Description

Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDbestpractical/request_tracker4.4.04.4.8+1
CVEListV5bestpractical/rt4.4.04.4.8+1
debiandebian/request-tracker4< request-tracker4 4.4.6+dfsg-1.1+deb12u2 (bookworm)
debiandebian/request-tracker5< request-tracker4 4.4.6+dfsg-1.1+deb12u2 (bookworm)

🔴Vulnerability Details

3
OSV
request-tracker5 vulnerabilities2025-08-13
OSV
CVE-2025-30087: Best Practical RT (Request Tracker) 42025-05-28
GHSA
GHSA-2jfq-9qf9-jmjj: Best Practical RT (Request Tracker) 42025-05-28

📋Vendor Advisories

2
Ubuntu
Request Tracker vulnerabilities2025-08-13
Debian
CVE-2025-30087: request-tracker4 - Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allo...2025
CVE-2025-30087 — Cross-site Scripting | cvebase