Bestpractical
Products
8- 55 CVEs
- 38 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 0 CVEs
Recent CVEs
79| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5944 | Hig | 0.57 | 8.8 | 0.03 | Jul 3, 2017 | The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name. | ||
| CVE-2017-5943 | Hig | 0.57 | 8.8 | 0.01 | Jul 3, 2017 | Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL. | ||
| CVE-2026-41075 | Hig | 0.50 | 8.8 | 0.00 | May 22, 2026 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation,… | ||
| CVE-2026-41076 | Hig | 0.46 | 8.1 | 0.00 | May 22, 2026 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server… | ||
| CVE-2016-6127 | Med | 0.40 | 6.1 | 0.01 | Jul 3, 2017 | Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with… | ||
| CVE-2026-41074 | Hig | 0.39 | 7.1 | 0.00 | May 22, 2026 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing… | ||
| CVE-2017-5361 | Med | 0.38 | 5.9 | 0.01 | Jul 3, 2017 | Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack. | ||
| CVE-2024-3262 | Med | 0.36 | 5.5 | 0.00 | Apr 4, 2024 | Information exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information… | ||
| CVE-2025-9158 | Med | 0.34 | — | 0.00 | Oct 24, 2025 | The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code… | ||
| CVE-2026-6841 | Med | 0.33 | 6.1 | 0.00 | May 21, 2026 | Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects… | ||
| CVE-2026-41073 | Med | 0.23 | 4.6 | 0.00 | May 22, 2026 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output… | ||
| CVE-2025-61873 | Low | 0.17 | 2.6 | 0.00 | Jan 16, 2026 | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | ||
| CVE-2025-2545 | Low | 0.15 | — | 0.00 | May 5, 2025 | Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8, where the Triple DES (3DES) cryptographic algorithm is used to protect emails sent with S/MIME encryption. Triple DES is considered obsolete and insecure due to its susceptibility to birthday… | ||
| CVE-2013-3525 | 0.03 | — | 0.03 | May 10, 2013 | SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that… | |||
| CVE-2025-30087 | 0.00 | — | 0.00 | May 28, 2025 | Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL. | |||
| CVE-2025-31501 | 0.00 | — | 0.00 | May 28, 2025 | Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink. | |||
| CVE-2025-31500 | 0.00 | — | 0.00 | May 28, 2025 | Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name. | |||
| CVE-2023-45024 | 0.00 | — | 0.01 | Nov 3, 2023 | Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder. | |||
| CVE-2023-41260 | 0.00 | — | 0.01 | Nov 3, 2023 | Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls. | |||
| CVE-2023-41259 | 0.00 | — | 0.01 | Nov 3, 2023 | Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. |
- risk 0.57cvss 8.8epss 0.03
The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.
- risk 0.57cvss 8.8epss 0.01
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens via a crafted URL.
- risk 0.50cvss 8.8epss 0.00
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation,…
- risk 0.46cvss 8.1epss 0.00
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server…
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with…
- risk 0.39cvss 7.1epss 0.00
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing…
- risk 0.38cvss 5.9epss 0.01
Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack.
- risk 0.36cvss 5.5epss 0.00
Information exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information…
- risk 0.34cvss —epss 0.00
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code…
- risk 0.33cvss 6.1epss 0.00
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects…
- risk 0.23cvss 4.6epss 0.00
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output…
- risk 0.17cvss 2.6epss 0.00
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
- risk 0.15cvss —epss 0.00
Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8, where the Triple DES (3DES) cryptographic algorithm is used to protect emails sent with S/MIME encryption. Triple DES is considered obsolete and insecure due to its susceptibility to birthday…
- CVE-2013-3525May 10, 2013risk 0.03cvss —epss 0.03
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that…
- CVE-2025-30087May 28, 2025risk 0.00cvss —epss 0.00
Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
- CVE-2025-31501May 28, 2025risk 0.00cvss —epss 0.00
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
- CVE-2025-31500May 28, 2025risk 0.00cvss —epss 0.00
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
- CVE-2023-45024Nov 3, 2023risk 0.00cvss —epss 0.01
Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
- CVE-2023-41260Nov 3, 2023risk 0.00cvss —epss 0.01
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.
- CVE-2023-41259Nov 3, 2023risk 0.00cvss —epss 0.01
Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.