Description
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
Exploits (1)
References (6)
Core 6
Core References
Exploit x_refsource_misc
http://cxsecurity.com/issue/WLB-2013040083
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/92265
Various Sources x_refsource_misc
http://blog.bestpractical.com/2013/04/on-our-security-policies.html
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/59022
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/83375
Scores
EPSS
0.0152
EPSS Percentile
81.4%
Details
CWE
CWE-89
Status
published
Products (24)
bestpractical/request_tracker
3.6.8
bestpractical/request_tracker
3.6.10
bestpractical/request_tracker
3.6.11
bestpractical/request_tracker
3.8.3
bestpractical/request_tracker
3.8.4
bestpractical/request_tracker
3.8.7
bestpractical/request_tracker
3.8.9
bestpractical/request_tracker
3.8.10
bestpractical/request_tracker
3.8.11
bestpractical/request_tracker
3.8.12
... and 14 more
Published
May 10, 2013
Tracked Since
Feb 18, 2026