CVE-2012-2769

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the topic administration page of the Extension::MobileUI extension for Best Practical Solutions RT 3.8.x and in RT before 4.0.6. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Affected versions include Extension::MobileUI before 1.02 and RT before 4.0.6 [1].

Exploitation

An attacker can exploit these XSS vulnerabilities by sending crafted input to the topic administration page. No authentication or special privileges are mentioned as required; the attacker only needs to be able to submit data to the vulnerable page. The exact attack vector is not disclosed in the available references [1].

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML, leading to potential information disclosure, session hijacking, or other client-side attacks. The attacker's injected script executes in the context of the victim's browser when they view the affected page [1].

Mitigation

Users should upgrade to Extension::MobileUI version 1.02 or later for RT 3.8.x, and to RT version 4.0.6 or later. The advisory notes that only installations with the vulnerable extension are affected; RT installations without the extension are not vulnerable [1]. No other workarounds are provided in the available references.