CVE-2025-31501Cross-site Scripting in Request Tracker

CWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
OSV7.5
EPSS
0.3%
top 51.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Bestpractical RTBestpractical Request TrackerDebian Request-tracker5
Timeline
PublishedMay 28
Latest updateAug 13

Description

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDbestpractical/request_tracker4.4.04.4.8+1
CVEListV5bestpractical/rt5.0.05.0.8
debiandebian/request-tracker5< request-tracker5 5.0.3+dfsg-3~deb12u3 (bookworm)

🔴Vulnerability Details

3
OSV
request-tracker5 vulnerabilities2025-08-13
GHSA
GHSA-9j47-qv65-j87p: Best Practical RT (Request Tracker) 52025-05-28
OSV
CVE-2025-31501: Best Practical RT (Request Tracker) 52025-05-28

📋Vendor Advisories

2
Ubuntu
Request Tracker vulnerabilities2025-08-13
Debian
CVE-2025-31501: request-tracker5 - Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript ...2025
CVE-2025-31501 — Cross-site Scripting | cvebase