Unrated severityNVD Advisory· Published May 10, 2013· Updated Apr 29, 2026
CVE-2013-3525
CVE-2013-3525
Description
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
Affected products
24cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*range: <=4.0.9
- cpe:2.3:a:bestpractical:request_tracker:3.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.13:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.15:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.16:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:3.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:bestpractical:request_tracker:4.0.8:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- cxsecurity.com/issue/WLB-2013040083nvdExploit
- www.securityfocus.com/bid/59022nvdExploit
- blog.bestpractical.com/2013/04/on-our-security-policies.htmlnvd
- osvdb.org/92265nvd
- packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.htmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/83375nvd
News mentions
0No linked articles in our index yet.