CVE-2009-3892

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Best Practical Solutions RT versions 3.4.6 through 3.8.4, specifically in the display of Custom Fields [1][2]. The bug is an escaping flaw that permits injection of arbitrary JavaScript into the RT user interface. It affects Custom Fields that accept free-form data from end users (e.g., "Enter one Value" or "Fill in one text area"), but does not affect "select one value" fields [1][2]. The vulnerable versions are RT 3.6.x before 3.6.9, 3.8.x before 3.8.5, and other 3.4.6 through 3.8.4 releases [1].

Exploitation

An attacker must be able to set Custom Field values that are user-supplied, either through the Web UI (SelfService) or via automated parsing scripts such as RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail, or a local parsing modification [1][2]. If only privileged users have the ModifyCustomField permission, the attack surface is limited to trusted users [1][2]. The attacker does not need special network access beyond being a user of the RT system; the injected script or HTML is then displayed to other users when they view the affected ticket or Custom Field, leading to XSS [1].

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the RT UI [1][2]. The attacker can achieve information disclosure, session hijacking, or other malicious actions within the context of the victim's browser session and RT privileges [1]. The impact is limited to users who view the injected content; it does not directly lead to server-side compromise unless combined with other vulnerabilities.

Mitigation

Fixed versions are RT 3.6.9 and RT 3.8.5, released on September 14, 2009 [1][2]. Patches for the 3.4, 3.6, and 3.8 branches were also provided for administrators who could not upgrade immediately [1][2]. Mitigation involves upgrading to the patched versions or applying the provided patches and clearing the Mason cache (rm -rf /opt/rt3/var/mason_data/obj/*), then restarting the web server [1][2]. Administrators who do not allow external users to set Custom Field values have a reduced attack surface [1]. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.