CVE-2017-5944
HIGHRequest Tracker 4.x < 4.0.25, 4.2.x < 4.2.14, 4.4.x < 4.4.2 - Remote Code Execution via Dashboard
Title source: llmDescription
The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/99381
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3882
Scores
CVSS v3
8.8
EPSS
0.0278
EPSS Percentile
84.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (41)
bestpractical/request_tracker
4.0.0
bestpractical/request_tracker
4.0.1
bestpractical/request_tracker
4.0.2
bestpractical/request_tracker
4.0.3
bestpractical/request_tracker
4.0.4
bestpractical/request_tracker
4.0.5
bestpractical/request_tracker
4.0.6
bestpractical/request_tracker
4.0.7
bestpractical/request_tracker
4.0.8
bestpractical/request_tracker
4.0.9
... and 31 more
Published
Jul 03, 2017
Tracked Since
Feb 18, 2026