Bestpractical

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-1165 3Bestpractical DebianFedoraproject 3Debian Linux FedoraRequest Tracker May 6, 2026 Mar 9, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.
CVE-2014-9472 3Bestpractical DebianFedoraproject 3Debian Linux FedoraRequest Tracker May 6, 2026 Mar 9, 2015 N/A· v4 N/A· v3 7.1 HIGH· v2 The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email.
CVE-2013-3737 1Bestpractical 1Request Tracker May 6, 2026 Nov 16, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows re...Show more The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors.Show less
CVE-2014-1474 2Bestpractical Email\ 2\ Rt May 6, 2026 Jul 15, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address.
CVE-2013-3736 1Bestpractical 2Request Tracker Rt Extension Mobileui May 6, 2026 May 5, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via th...Show more Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the name of an attached file.Show less
CVE-2013-5587 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 2.6 LOW· v2 Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue h...Show more Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.Show less
CVE-2013-3374 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive information (user preferences...Show more Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive information (user preferences and caches) via unknown vectors, related to a "limited session re-use."Show less
CVE-2013-3373 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.
CVE-2013-3372 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors...Show more Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks via unspecified vectors.Show less
CVE-2013-3371 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an attachment.
CVE-2013-3370 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a direct request.
CVE-2013-3369 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors.
CVE-2013-3368 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 3.3 LOW· v2 bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with predictable name.
CVE-2012-4733 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets v...Show more Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors.Show less
CVE-2012-6581 1Bestpractical 1Request Tracker Apr 29, 2026 Jul 24, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail...Show more Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail messages signed by an arbitrary stored secret key, by leveraging a UI e-mail signing privilege.Show less
CVE-2012-6580 1Bestpractical 1Request Tracker Apr 29, 2026 Jul 24, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to sp...Show more Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditing via an e-mail message to a queue's address.Show less
CVE-2012-6579 1Bestpractical 1Request Tracker Apr 29, 2026 Jul 24, 2013 N/A· v4 N/A· v3 6.4 MEDIUM· v2 Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly cause a denial of servic...Show more Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly cause a denial of service (loss of e-mail readability), via an e-mail message to a queue's address.Show less
CVE-2012-6578 1Bestpractical 1Request Tracker Apr 29, 2026 Jul 24, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote attackers to spoof mess...Show more Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote attackers to spoof messages by leveraging the lack of authentication semantics.Show less
CVE-2013-3525 1Bestpractical 1Request Tracker Apr 29, 2026 May 10, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating...Show more SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.Show less
CVE-2012-4884 1Bestpractical 1Rt Apr 29, 2026 Nov 11, 2012 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG client.

Previous 123 4 Next