cbcvebase.

Debian Request-Tracker4 vulnerabilities

44 known vulnerabilities affecting debian/request-tracker4.

Total CVEs
44
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM32LOW5

Vulnerabilities

Page 1 of 3
CVE-2017-5944P3HIGHCVSS 8.8fixed in request-tracker4 4.4.1-4 (bookworm)2017
CVE-2017-5944 [HIGH] CVE-2017-5944: request-tracker4 - The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, ... The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name. Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: resolved (fixed in 4.4.1-4) sid: resolved (fixed in 4.
debian
CVE-2023-41260P3HIGHCVSS 7.5fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u1 (bookworm)2023
CVE-2023-41260 [HIGH] CVE-2023-41260: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Inf... Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u1) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u3) sid: resolved (fixed in 4.4.7+dfsg-1)
debian
CVE-2021-38562P3HIGHCVSS 7.5fixed in request-tracker4 4.4.4+dfsg-3 (bookworm)2021
CVE-2021-38562 [HIGH] CVE-2021-38562: request-tracker4 - Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0... Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. Scope: local bookworm: resolved (fixed in 4.4.4+dfsg-3) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u1) sid: resolved (fixed in 4.4.4+dfsg-3)
debian
CVE-2011-4458P3MEDIUMCVSS 6.8fixed in request-tracker4 4.0.5-3 (bookworm)2011
CVE-2011-4458 [MEDIUM] CVE-2011-4458: request-tracker4 - Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before... Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VERPPrefix and VERPDomain options are enabled, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-5092 and CVE-2011-5093. Scope: local bookworm: resolved (fixed in 4.0.5-3) bullseye: resolved (fixed
debian
CVE-2023-41259P3HIGHCVSS 7.5fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u1 (bookworm)2023
CVE-2023-41259 [HIGH] CVE-2023-41259: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Inf... Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u1) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u3) sid: resolved (fixed in 4.4.7+dfsg-1)
debian
CVE-2013-3370P3MEDIUMCVSS 6.8fixed in request-tracker4 4.0.12-2 (bookworm)2013
CVE-2013-3370 [MEDIUM] CVE-2013-3370: request-tracker4 - Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not proper... Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a direct request. Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: resolved (fixed in 4.0.12-2) sid: resolved (fixed in 4.0.12-2)
debian
CVE-2011-4460P3MEDIUMCVSS 6.5fixed in request-tracker4 4.0.5-3 (bookworm)2011
CVE-2011-4460 [MEDIUM] CVE-2011-4460: request-tracker4 - SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.... SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to execute arbitrary SQL commands by leveraging access to a privileged account. Scope: local bookworm: resolved (fixed in 4.0.5-3) bullseye: resolved (fixed in 4.0.5-3) sid: resolved (fixed in 4.0.5-3)
debian
CVE-2015-1464P3MEDIUMCVSS 6.4fixed in request-tracker4 4.2.8-3 (bookworm)2015
CVE-2015-1464 [MEDIUM] CVE-2015-1464: request-tracker4 - RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote att... RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. Scope: local bookworm: resolved (fixed in 4.2.8-3) bullseye: resolved (fixed in 4.2.8-3) sid: resolved (fixed in 4.2.8-3)
debian
CVE-2017-5943P4HIGHCVSS 8.8fixed in request-tracker4 4.4.1-4 (bookworm)2017
CVE-2017-5943 [HIGH] CVE-2017-5943: request-tracker4 - Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.... Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL. Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: resolved (fixed in 4.4.1-4) sid: resolved (fixed in 4.4.1-4)
debian
CVE-2013-3369P4MEDIUMCVSS 6.0fixed in request-tracker4 4.0.12-2 (bookworm)2013
CVE-2013-3369 [MEDIUM] CVE-2013-3369: request-tracker4 - Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote a... Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: resolved (fixed in 4.0.12-2) sid: resolved (fixed in 4.0.12-2)
debian
CVE-2012-4884P4MEDIUMCVSS 5.0fixed in request-tracker4 4.0.7-2 (bookworm)2012
CVE-2012-4884 [MEDIUM] CVE-2012-4884: request-tracker4 - Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and... Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG client. Scope: local bookworm: resolved (fixed in 4.0.7-2) bullseye: resolved (fixed in 4.0.7-2) sid: resolved (fixed in 4.0.7-2)
debian
CVE-2012-4733P4MEDIUMCVSS 6.0fixed in request-tracker4 4.0.12-2 (bookworm)2012
CVE-2012-4733 [MEDIUM] CVE-2012-4733: request-tracker4 - Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicke... Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: resolved (fixed in 4.0.12-2) sid: resolved (fixed in
debian
CVE-2014-9472P4HIGHCVSS 7.1fixed in request-tracker4 4.2.8-3 (bookworm)2014
CVE-2014-9472 [HIGH] CVE-2014-9472: request-tracker4 - The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 an... The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email. Scope: local bookworm: resolved (fixed in 4.2.8-3) bullseye: resolved (fixed in 4.2.8-3) sid: resolved (fixed in 4.2.8-3)
debian
CVE-2017-5361P4MEDIUMCVSS 5.9fixed in request-tracker4 4.4.1-4 (bookworm)2017
CVE-2017-5361 [MEDIUM] CVE-2017-5361: request-tracker4 - Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.... Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack. Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: resolved (fixed in 4.4.1-4)
debian
CVE-2012-4732P4MEDIUMCVSS 6.8fixed in request-tracker4 4.0.7-2 (bookworm)2012
CVE-2012-4732 [MEDIUM] CVE-2012-4732: request-tracker4 - Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 a... Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the authentication of users for requests that toggle ticket bookmarks. Scope: local bookworm: resolved (fixed in 4.0.7-2) bullseye: resolved (fixed in 4.0.7-2) sid: reso
debian
CVE-2013-3373P4MEDIUMCVSS 5.0fixed in request-tracker4 4.0.12-2 (bookworm)2013
CVE-2013-3373 [MEDIUM] CVE-2013-3373: request-tracker4 - CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0... CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header. Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: resolved (fixed in 4.0.12-2) sid: resolved (fixed in 4.0.12-2)
debian
CVE-2012-4734P4MEDIUMCVSS 5.0fixed in request-tracker4 4.0.7-2 (bookworm)2012
CVE-2012-4734 [MEDIUM] CVE-2012-4734: request-tracker4 - Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote at... Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warning protection mechanism and cause victims to "modify arbitrary state" via unknown vectors related to a crafted link. Scope: local bookworm: resolved (fixed in 4.0.7-2) bullseye: resolved (fixed in 4.0.7-2) sid
debian
CVE-2025-30087P4HIGHCVSS 7.2fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u2 (bookworm)2025
CVE-2025-30087 [HIGH] CVE-2025-30087: request-tracker4 - Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allo... Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u2) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u4) sid: open
debian
CVE-2011-2085P4MEDIUMCVSS 6.8fixed in request-tracker4 4.0.5-3 (bookworm)2011
CVE-2011-2085 [MEDIUM] CVE-2011-2085: request-tracker4 - Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Sol... Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users. Scope: local bookworm: resolved (fixed in 4.0.5-3) bullseye: resolved (fixed in 4.0.5-3) sid: resolved (fixed in 4.0.5-3)
debian
CVE-2016-6127P4MEDIUMCVSS 6.1fixed in request-tracker4 4.4.1-4 (bookworm)2016
CVE-2016-6127 [MEDIUM] CVE-2016-6127: request-tracker4 - Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.... Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type. Scope: local bookworm: resolved (fixed in 4.4.1-4)
debian