VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 22, 2011· Updated Apr 29, 2026

CVE-2011-1689

CVE-2011-1689

Description

Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple XSS vulnerabilities in RT 2.0.0-3.6.10, 3.8.0-3.8.9, and 4.0.0rc-4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML.

Vulnerability

Best Practical Solutions RT versions 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 contain multiple cross-site scripting (XSS) vulnerabilities. The exact vectors are unspecified, but the flaws allow remote attackers to inject arbitrary web script or HTML into the application [1][2].

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious URL or input that, when processed by RT, injects script or HTML into a page viewed by another user. No authentication is required for the injection, but the victim must interact with the crafted link or content (e.g., clicking a link or viewing a page) for the payload to execute [1][2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript or HTML in the context of the victim's browser session. This can lead to theft of session cookies, defacement, or redirection to malicious sites, potentially compromising the confidentiality and integrity of the RT instance and its data [1][2].

Mitigation

The vulnerabilities are fixed in RT versions 3.6.11, 3.8.10, and 4.0.0rc8 [1][4]. Administrators should upgrade to these or later releases immediately. No workarounds are documented; upgrading is the only known mitigation [1][2][4].

References
  1. [Rt-announce] Security vulnerabilities in RT
  2. Security vulnerabilities in RT
  3. [Rt-announce] RT 3.8.10 Released - Security Release

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

80
  • Bestpractical/Rt80 versions
    cpe:2.3:a:bestpractical:rt:2.0.0:*:*:*:*:*:*:*+ 79 more
    • cpe:2.3:a:bestpractical:rt:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.10:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.6.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.6:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:rc2:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:rc3:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.8:rc4:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:*:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:rc2:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:3.8.9:rc3:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc6:*:*:*:*:*:*
    • cpe:2.3:a:bestpractical:rt:4.0.0:rc7:*:*:*:*:*:*
    • (no CPE)range: >=2.0.0, <=3.6.10 || >=3.8.0, <=3.8.9 || >=4.0.0rc, <=4.0.0rc7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.