Debian Request-Tracker4 vulnerabilities

44 known vulnerabilities affecting debian/request-tracker4.

Total CVEs
44
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM32LOW5

Vulnerabilities

Page 1 of 3
CVE-2025-30087HIGHCVSS 7.2fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u2 (bookworm)2025
CVE-2025-30087 [HIGH] CVE-2025-30087: request-tracker4 - Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allo... Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u2) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u4) sid: open
debian
CVE-2025-61873LOWCVSS 2.6fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u3 (bookworm)2025
CVE-2025-61873 [LOW] CVE-2025-61873: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV In... Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u3) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u5) sid: open
debian
CVE-2025-2545LOWCVSS 2.3fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u2 (bookworm)2025
CVE-2025-2545 [LOW] CVE-2025-2545: request-tracker4 - Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8... Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8, where the Triple DES (3DES) cryptographic algorithm is used to protect emails sent with S/MIME encryption. Triple DES is considered obsolete and insecure due to its susceptibility to birthday attacks, which could compromise the confidentiality of encrypted messages. Scope: local
debian
CVE-2024-3262MEDIUMCVSS 5.5fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u2 (bookworm)2024
CVE-2024-3262 [MEDIUM] CVE-2024-3262: request-tracker4 - Information exposure vulnerability in RT software affecting version 4.4.1. This ... Information exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information in the browser cache, leading to information exposure despite session terminati
debian
CVE-2023-41259HIGHCVSS 7.5fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u1 (bookworm)2023
CVE-2023-41259 [HIGH] CVE-2023-41259: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Inf... Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u1) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u3) sid: resolved (fixed in 4.4.7+dfsg-1)
debian
CVE-2023-41260HIGHCVSS 7.5fixed in request-tracker4 4.4.6+dfsg-1.1+deb12u1 (bookworm)2023
CVE-2023-41260 [HIGH] CVE-2023-41260: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Inf... Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1.1+deb12u1) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u3) sid: resolved (fixed in 4.4.7+dfsg-1)
debian
CVE-2022-25802MEDIUMCVSS 6.1fixed in request-tracker4 4.4.6+dfsg-1 (bookworm)2022
CVE-2022-25802 [MEDIUM] CVE-2022-25802: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS... Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment. Scope: local bookworm: resolved (fixed in 4.4.6+dfsg-1) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u2) sid: resolved (fixed in 4.4.6+dfsg-1)
debian
CVE-2021-38562HIGHCVSS 7.5fixed in request-tracker4 4.4.4+dfsg-3 (bookworm)2021
CVE-2021-38562 [HIGH] CVE-2021-38562: request-tracker4 - Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0... Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. Scope: local bookworm: resolved (fixed in 4.4.4+dfsg-3) bullseye: resolved (fixed in 4.4.4+dfsg-2+deb11u1) sid: resolved (fixed in 4.4.4+dfsg-3)
debian
CVE-2017-5943HIGHCVSS 8.8fixed in request-tracker4 4.4.1-4 (bookworm)2017
CVE-2017-5943 [HIGH] CVE-2017-5943: request-tracker4 - Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.... Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL. Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: resolved (fixed in 4.4.1-4) sid: resolved (fixed in 4.4.1-4)
debian
CVE-2017-5944HIGHCVSS 8.8fixed in request-tracker4 4.4.1-4 (bookworm)2017
CVE-2017-5944 [HIGH] CVE-2017-5944: request-tracker4 - The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, ... The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name. Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: resolved (fixed in 4.4.1-4) sid: resolved (fixed in 4.
debian
CVE-2017-5361MEDIUMCVSS 5.9fixed in request-tracker4 4.4.1-4 (bookworm)2017
CVE-2017-5361 [MEDIUM] CVE-2017-5361: request-tracker4 - Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.... Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack. Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: resolved (fixed in 4.4.1-4)
debian
CVE-2016-6127MEDIUMCVSS 6.1fixed in request-tracker4 4.4.1-4 (bookworm)2016
CVE-2016-6127 [MEDIUM] CVE-2016-6127: request-tracker4 - Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.... Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type. Scope: local bookworm: resolved (fixed in 4.4.1-4)
debian
CVE-2015-5475MEDIUMCVSS 4.3fixed in request-tracker4 4.2.11-2 (bookworm)2015
CVE-2015-5475 [MEDIUM] CVE-2015-5475: request-tracker4 - Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x ... Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2) group rights management pages. Scope: local bookworm: resolved (fixed in 4.2.11-2) bullseye: resolved (fixed in 4.2.11-2) sid: resolved (fixed in 4.2.11-2)
debian
CVE-2015-6506MEDIUMCVSS 4.3fixed in request-tracker4 4.2.11-2 (bookworm)2015
CVE-2015-6506 [MEDIUM] CVE-2015-6506: request-tracker4 - Cross-site scripting (XSS) vulnerability in the cryptography interface in Reques... Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key. Scope: local bookworm: resolved (fixed in 4.2.11-2) bullseye: resolved (fixed in 4.2.11-2) sid: resolved (fixed in 4.2.11-2)
debian
CVE-2015-1464MEDIUMCVSS 6.4fixed in request-tracker4 4.2.8-3 (bookworm)2015
CVE-2015-1464 [MEDIUM] CVE-2015-1464: request-tracker4 - RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote att... RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. Scope: local bookworm: resolved (fixed in 4.2.8-3) bullseye: resolved (fixed in 4.2.8-3) sid: resolved (fixed in 4.2.8-3)
debian
CVE-2015-1165MEDIUMCVSS 5.0fixed in request-tracker4 4.2.8-3 (bookworm)2015
CVE-2015-1165 [MEDIUM] CVE-2015-1165: request-tracker4 - RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10... RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.2.8-3) bullseye: resolved (fixed in 4.2.8-3) sid: resolved (fixed in 4.2.8-3)
debian
CVE-2014-9472HIGHCVSS 7.1fixed in request-tracker4 4.2.8-3 (bookworm)2014
CVE-2014-9472 [HIGH] CVE-2014-9472: request-tracker4 - The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 an... The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email. Scope: local bookworm: resolved (fixed in 4.2.8-3) bullseye: resolved (fixed in 4.2.8-3) sid: resolved (fixed in 4.2.8-3)
debian
CVE-2013-5587MEDIUMCVSS 4.3fixed in request-tracker4 4.0.12-2 (bookworm)2013
CVE-2013-5587 [MEDIUM] CVE-2013-5587: request-tracker4 - Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.... Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions. Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: resolved
debian
CVE-2013-3370MEDIUMCVSS 6.8fixed in request-tracker4 4.0.12-2 (bookworm)2013
CVE-2013-3370 [MEDIUM] CVE-2013-3370: request-tracker4 - Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not proper... Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a direct request. Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: resolved (fixed in 4.0.12-2) sid: resolved (fixed in 4.0.12-2)
debian
CVE-2013-3374MEDIUMCVSS 4.3fixed in request-tracker4 4.0.12-2 (bookworm)2013
CVE-2013-3374 [MEDIUM] CVE-2013-3374: request-tracker4 - Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x ... Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive information (user preferences and caches) via unknown vectors, related to a "limited session re-use." Scope: local bookworm: resolved (fixed in 4.0.12-2) bullseye: reso
debian
1 / 3Next →