Debian: DSA-2671-1 Moderate: Request Tracker Multiple Security Issues
debian
May 22, 2013
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system
Topics Covered
Summary
CVE-2012-4733
A user with the ModifyTicket right can bypass the DeleteTicket right
or any custom lifecycle transition rights and thus modify ticket data
without authorization.
CVE-2013-3368
The rt command line tool uses semi-predictable temporary files. A
malicious user can use this flaw to overwrite files with permissions
of the user running the rt command line tool.
CVE-2013-3369
A malicious user who is allowed to see administration pages can run
arbitrary mason components (without control of arguments), which may
have negative side-effects.
CVE-2013-3370
Request Tracker allows direct requests to private callback
components, which could be used to exploit a Request Tracker
extension or a local callback which uses the arguments passed to it
insecurely.
CVE-2013-3371
Request Tracker is vulnerable to cross-site scripting attacks via
attachment filenames.
CVE-2013-3372
Dominic Hargreaves discovered that Request Tracker is vulnerable to
an ...
PREVIOUS
NEXT
Package: request-tracker4
CVE ID: CVE-2012-4733 CVE-2013-3368 CVE-2013-3369 CVE-2013-3370
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!