cbcvebase.

Bestpractical Rt vulnerabilities

43 known vulnerabilities affecting bestpractical/rt.

Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM34LOW5

Vulnerabilities

Page 2 of 3
CVE-2025-31501P4MEDIUMCVSS 6.1≥ 5.0.0, < 5.0.82025-05-28
CVE-2025-31501 [MEDIUM] CWE-79 CVE-2025-31501: Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT p Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
nvd
CVE-2009-3585P4MEDIUMCVSS 5.8v3.0.1v3.0.2+38 more2009-12-02
CVE-2009-3585 [MEDIUM] CWE-287 CVE-2009-3585: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3. Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.
nvd
CVE-2026-41073P4MEDIUMCVSS 4.6fixed in 5.0.10v>= 6.0.0, < 6.0.32026-05-22
CVE-2026-41073 [MEDIUM] CWE-1236 CVE-2026-41073: RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 an RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted val
cvelistv5nvd
CVE-2009-4151P4MEDIUMCVSS 5.8v3.0.1v3.0.2+38 more2009-12-02
CVE-2009-4151 [MEDIUM] CVE-2009-4151: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3. Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
nvd
CVE-2011-2082P4MEDIUMCVSS 5.0v3.0.0v3.0.1+81 more2012-06-04
CVE-2011-2082 [MEDIUM] CVE-2011-2082: The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0. The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the dat
nvd
CVE-2014-1474P4MEDIUMCVSS 5.0v4.2.0v4.2.1+1 more2014-07-15
CVE-2014-1474 [MEDIUM] CWE-189 CVE-2014-1474: Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 throug Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address.
nvd
CVE-2013-3371P4MEDIUMCVSS 4.3v3.8.0v3.8.1+28 more2013-08-23
CVE-2013-3371 [MEDIUM] CWE-79 CVE-2013-3371: Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x befo Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an attachment.
nvd
CVE-2011-0009P4MEDIUMCVSS 4.3≤ 3.8.9v3.0.0+72 more2011-01-25
CVE-2011-0009 [MEDIUM] CWE-310 CVE-2011-0009: Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for p Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database.
nvd
CVE-2011-1685P4MEDIUMCVSS 4.6v3.8.0v3.8.1+9 more2011-04-22
CVE-2011-1685 [MEDIUM] CWE-352 CVE-2011-1685: Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldVa Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.
nvd
CVE-2011-2084P4MEDIUMCVSS 4.0v3.0.0v3.0.1+81 more2012-06-04
CVE-2011-2084 [MEDIUM] CWE-200 CVE-2011-2084: Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to read (1) hashes of former passwords and (2) ticket correspondence history by leveraging access to a privileged account.
nvd
CVE-2011-2083P4MEDIUMCVSS 4.3v3.0.0v3.0.1+81 more2012-06-04
CVE-2011-2083 [MEDIUM] CWE-79 CVE-2011-2083: Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 3.x before 3.8.12 Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2011-1689P4MEDIUMCVSS 4.3v2.0.0v2.0.1+63 more2011-04-22
CVE-2011-1689 [MEDIUM] CWE-79 CVE-2011-1689: Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6 Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2013-3372P4MEDIUMCVSS 4.3v4.0.0v4.0.1+28 more2013-08-23
CVE-2013-3372 [MEDIUM] CWE-79 CVE-2013-3372: Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject m Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors.
nvd
CVE-2013-3374P4MEDIUMCVSS 4.3v4.0.0v4.0.1+28 more2013-08-23
CVE-2013-3374 [MEDIUM] CVE-2013-3374: Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive information (user preferences and caches) via unknown vectors, related to a "limited session re-use."
nvd
CVE-2011-1008P4MEDIUMCVSS 4.0≤ 3.8.9v1.0.0+70 more2011-02-28
CVE-2011-1008 [MEDIUM] CWE-264 CVE-2011-1008: Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging.
nvd
CVE-2011-4459P4LOWCVSS 3.5v3.0.0v3.0.1+81 more2012-06-04
CVE-2011-4459 [LOW] CWE-264 CVE-2011-4459: Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not properly disable groups, Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not properly disable groups, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a group membership.
nvd
CVE-2009-3892P4MEDIUMCVSS 4.3v3.4.6v3.6.0+13 more2009-11-17
CVE-2009-3892 [MEDIUM] CWE-79 CVE-2009-3892: Cross-site scripting (XSS) vulnerability in Best Practical Solutions RT 3.6.x before 3.6.9, 3.8.x be Cross-site scripting (XSS) vulnerability in Best Practical Solutions RT 3.6.x before 3.6.9, 3.8.x before 3.8.5, and other 3.4.6 through 3.8.4 versions allows remote attackers to inject arbitrary web script or HTML via certain Custom Fields.
nvd
CVE-2012-4730P4LOWCVSS 3.5v3.8.0v3.8.1+22 more2012-11-11
CVE-2012-4730 [LOW] CWE-264 CVE-2012-4730: Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users wi Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users with ModifySelf or AdminUser privileges to inject arbitrary email headers and conduct phishing attacks or obtain sensitive information via unknown vectors.
nvd
CVE-2011-1687P4MEDIUMCVSS 4.0v3.0.0v3.0.1+45 more2011-04-22
CVE-2011-1687 [MEDIUM] CWE-200 CVE-2011-1687: Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords.
nvd
CVE-2013-5587P4LOWCVSS 2.6v4.0.0v4.0.1+11 more2013-08-23
CVE-2013-5587 [LOW] CVE-2013-5587: Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.
nvd