CVE-2017-5944

HIGH

Request Tracker 4.x < 4.0.25, 4.2.x < 4.2.14, 4.4.x < 4.4.2 - Remote Code Execution via Dashboard

Title source: llm
STIX 2.1

Description

The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99381
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3882

Scores

CVSS v3 8.8
EPSS 0.0278
EPSS Percentile 84.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (41)
bestpractical/request_tracker 4.0.0
bestpractical/request_tracker 4.0.1
bestpractical/request_tracker 4.0.2
bestpractical/request_tracker 4.0.3
bestpractical/request_tracker 4.0.4
bestpractical/request_tracker 4.0.5
bestpractical/request_tracker 4.0.6
bestpractical/request_tracker 4.0.7
bestpractical/request_tracker 4.0.8
bestpractical/request_tracker 4.0.9
... and 31 more
Published Jul 03, 2017
Tracked Since Feb 18, 2026