CVE-2013-3525

Request Tracker < 4.0.9 - SQL Injection via ShowPending Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-3525. PoCs published by cheki.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in Request Tracker (RT) 4.0.10 by injecting a malicious payload into the 'ShowPending' parameter of a POST request. The payload manipulates the SQL query to bypass authentication or extract sensitive data.

Description

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.

Exploits (1)

exploitdb WORKING POC VERIFIED

by cheki · textwebappsphp

https://www.exploit-db.com/exploits/38459

View Code ZIP pw:eip

This exploit demonstrates an SQL injection vulnerability in Request Tracker (RT) 4.0.10 by injecting a malicious payload into the 'ShowPending' parameter of a POST request. The payload manipulates the SQL query to bypass authentication or extract sensitive data.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Request Tracker (RT) 4.0.10

Auth required

Prerequisites: Valid session cookie (RT_SID_example.com.80) · Access to the Approvals endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit x_refsource_misc

http://cxsecurity.com/issue/WLB-2013040083

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/92265

Various Sources x_refsource_misc

http://blog.bestpractical.com/2013/04/on-our-security-policies.html

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/59022

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/83375

Scores

EPSS 0.0281

EPSS Percentile 84.7%

Details

CWE

CWE-89

Status published

Products (24)

bestpractical/request_tracker 3.6.8

bestpractical/request_tracker 3.6.10

bestpractical/request_tracker 3.6.11

bestpractical/request_tracker 3.8.3

bestpractical/request_tracker 3.8.4

bestpractical/request_tracker 3.8.7

bestpractical/request_tracker 3.8.9

bestpractical/request_tracker 3.8.10

bestpractical/request_tracker 3.8.11

bestpractical/request_tracker 3.8.12

... and 14 more

Published May 10, 2013

Tracked Since Feb 18, 2026