Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    142 vulnerabilities by bestpractical

    CVE-2026-41076 (GCVE-0-2026-41076)

    Vulnerability from nvd – Published: 2026-05-22 21:36 – Updated: 2026-05-28 03:55
    VLAI
    Title
    RT: LDAP authentication bypass via empty password
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: < 5.0.10
    Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:46.905Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials.  This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server\u0027s authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:36:21.585Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-3w28-fmcr-mjjx",
            "discovery": "UNKNOWN"
          },
          "title": "RT: LDAP authentication bypass via empty password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41076",
        "datePublished": "2026-05-22T21:36:21.585Z",
        "dateReserved": "2026-04-16T16:43:03.175Z",
        "dateUpdated": "2026-05-28T03:55:46.905Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41075 (GCVE-0-2026-41075)

    Vulnerability from nvd – Published: 2026-05-22 21:17 – Updated: 2026-05-28 03:55
    VLAI
    Title
    RT: SQL injection via entry_aggregator parameter in JSON search
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: >= 5.0.0, < 5.0.10
    Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:45.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:17:36.063Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-7vf8-xv7w-97c6",
            "discovery": "UNKNOWN"
          },
          "title": "RT: SQL injection via entry_aggregator parameter in JSON search"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41075",
        "datePublished": "2026-05-22T21:17:36.063Z",
        "dateReserved": "2026-04-16T16:43:03.175Z",
        "dateUpdated": "2026-05-28T03:55:45.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41074 (GCVE-0-2026-41074)

    Vulnerability from nvd – Published: 2026-05-22 21:12 – Updated: 2026-05-26 18:44
    VLAI
    Title
    RT has broken CSRF protection for authenticated users
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T18:44:34.070817Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T18:44:57.087Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user\u0027s behalf. This issue has been fixed in version 6.0.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:12:41.473Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-265j-qx4w-256j",
            "discovery": "UNKNOWN"
          },
          "title": "RT has broken CSRF protection for authenticated users"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41074",
        "datePublished": "2026-05-22T21:12:41.473Z",
        "dateReserved": "2026-04-16T16:43:03.175Z",
        "dateUpdated": "2026-05-26T18:44:57.087Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41073 (GCVE-0-2026-41073)

    Vulnerability from nvd – Published: 2026-05-22 21:10 – Updated: 2026-05-23 02:57
    VLAI
    Title
    RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: < 5.0.10
    Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41073",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-23T02:57:10.802457Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-23T02:57:38.966Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:10:22.249Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-6x92-7v65-7m3r",
            "discovery": "UNKNOWN"
          },
          "title": "RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41073",
        "datePublished": "2026-05-22T21:10:22.249Z",
        "dateReserved": "2026-04-16T16:43:03.174Z",
        "dateUpdated": "2026-05-23T02:57:38.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6841 (GCVE-0-2026-6841)

    Vulnerability from nvd – Published: 2026-05-21 11:49 – Updated: 2026-05-21 12:45 X_Open Source
    VLAI
    Title
    Reflected XSS in Request Tracker
    Summary
    Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Best Practical Request Tracker Affected: 5.0.4 , < 5.0.10 (semver)
    Affected: 6.0.0 , < 6.0.3 (semver)
    Create a notification for this product.
    Date Public
    2026-05-21 10:38
    Credits
    Aleksander Iwicki (CERT Polska)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6841",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T12:42:30.866693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T12:45:14.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Request Tracker",
              "repo": "https://github.com/bestpractical/rt",
              "vendor": "Best Practical",
              "versions": [
                {
                  "lessThan": "5.0.10",
                  "status": "affected",
                  "version": "5.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.0.3",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aleksander Iwicki (CERT Polska)"
            }
          ],
          "datePublic": "2026-05-21T10:38:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u0026nbsp;6.0.2.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\n\nThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u00a06.0.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-591 Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-21T11:49:07.533Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2026/05/CVE-2026-6841"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://requesttracker.com/request-tracker/"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.10"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/6.0.3"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Reflected XSS in Request Tracker",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2026-6841",
        "datePublished": "2026-05-21T11:49:07.533Z",
        "dateReserved": "2026-04-22T07:09:40.481Z",
        "dateUpdated": "2026-05-21T12:45:14.647Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61873 (GCVE-0-2025-61873)

    Vulnerability from nvd – Published: 2026-01-16 00:00 – Updated: 2026-01-16 18:31
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical Request Tracker Affected: 0 , < 4.4.9 (custom)
    Affected: 5.0 , < 5.0.9 (custom)
    Affected: 6.0 , < 6.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61873",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-16T18:27:46.566310Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-16T18:31:10.182Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Request Tracker",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "4.4.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.0.9",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.2",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.9",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.9",
                      "versionStartIncluding": "5.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "6.0.2",
                      "versionStartIncluding": "6.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.6,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-16T18:16:17.553Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-61873",
        "datePublished": "2026-01-16T00:00:00.000Z",
        "dateReserved": "2025-10-03T00:00:00.000Z",
        "dateUpdated": "2026-01-16T18:31:10.182Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31501 (GCVE-0-2025-31501)

    Vulnerability from nvd – Published: 2025-05-28 00:00 – Updated: 2025-05-28 17:59
    VLAI
    Summary
    Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical RT Affected: 5.0.0 , < 5.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31501",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-28T17:59:24.546058Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T17:59:29.685Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RT",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "5.0.8",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.8",
                      "versionStartIncluding": "5.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-28T17:48:25.633Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-31501",
        "datePublished": "2025-05-28T00:00:00.000Z",
        "dateReserved": "2025-03-28T00:00:00.000Z",
        "dateUpdated": "2025-05-28T17:59:29.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31500 (GCVE-0-2025-31500)

    Vulnerability from nvd – Published: 2025-05-28 00:00 – Updated: 2025-05-28 17:59
    VLAI
    Summary
    Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical RT Affected: 5.0.0 , < 5.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31500",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-28T17:59:42.444191Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T17:59:47.499Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RT",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "5.0.8",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.8",
                      "versionStartIncluding": "5.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-28T17:45:41.901Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-31500",
        "datePublished": "2025-05-28T00:00:00.000Z",
        "dateReserved": "2025-03-28T00:00:00.000Z",
        "dateUpdated": "2025-05-28T17:59:47.499Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30087 (GCVE-0-2025-30087)

    Vulnerability from nvd – Published: 2025-05-28 00:00 – Updated: 2025-11-03 19:46
    VLAI
    Summary
    Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical RT Affected: 4.4.0 , < 4.4.8 (semver)
    Affected: 5.0.0 , < 5.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-28T18:00:11.113721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T18:00:16.350Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:46:45.392Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00009.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RT",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "4.4.8",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.8",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.8",
                      "versionStartIncluding": "4.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.8",
                      "versionStartIncluding": "5.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-28T17:53:01.345Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-30087",
        "datePublished": "2025-05-28T00:00:00.000Z",
        "dateReserved": "2025-03-16T00:00:00.000Z",
        "dateUpdated": "2025-11-03T19:46:45.392Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-45024 (GCVE-0-2023-45024)

    Vulnerability from nvd – Published: 2023-11-03 00:00 – Updated: 2024-09-06 14:00
    VLAI
    Summary
    Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:19.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45024",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-06T14:00:24.225531Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-06T14:00:30.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:19:31.617Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-45024",
        "datePublished": "2023-11-03T00:00:00.000Z",
        "dateReserved": "2023-10-03T00:00:00.000Z",
        "dateUpdated": "2024-09-06T14:00:30.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-41260 (GCVE-0-2023-41260)

    Vulnerability from nvd – Published: 2023-11-03 00:00 – Updated: 2025-11-04 19:21
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    best_practical_solutions request_tracker Affected: 0 , < 4.4.7 (custom)
    Affected: 5x , < 5.0.5 (custom)
        cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T19:21:06.955Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00046.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "request_tracker",
                "vendor": "best_practical_solutions",
                "versions": [
                  {
                    "lessThan": "4.4.7",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.0.5",
                    "status": "affected",
                    "version": "5x",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41260",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-05T14:47:43.604407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-05T14:51:22.702Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:17:29.880Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-41260",
        "datePublished": "2023-11-03T00:00:00.000Z",
        "dateReserved": "2023-08-25T00:00:00.000Z",
        "dateUpdated": "2025-11-04T19:21:06.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-41259 (GCVE-0-2023-41259)

    Vulnerability from nvd – Published: 2023-11-03 00:00 – Updated: 2025-11-04 19:21
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    best_practical_solutions request_tracker Affected: 0 , < 4.4.7 (custom)
    Affected: 5x , < 5.0.5 (custom)
        cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T19:21:05.839Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00046.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "request_tracker",
                "vendor": "best_practical_solutions",
                "versions": [
                  {
                    "lessThan": "4.4.7",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.0.5",
                    "status": "affected",
                    "version": "5x",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-05T14:52:22.819347Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-05T14:54:06.765Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:14:28.149Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-41259",
        "datePublished": "2023-11-03T00:00:00.000Z",
        "dateReserved": "2023-08-25T00:00:00.000Z",
        "dateUpdated": "2025-11-04T19:21:05.839Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-25803 (GCVE-0-2022-25803)

    Vulnerability from nvd – Published: 2022-07-14 11:51 – Updated: 2024-08-03 04:49
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:49:43.287Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-14T11:51:19.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-25803",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/index.html",
                  "refsource": "MISC",
                  "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/5.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-25803",
        "datePublished": "2022-07-14T11:51:19.000Z",
        "dateReserved": "2022-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:49:43.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-25802 (GCVE-0-2022-25802)

    Vulnerability from nvd – Published: 2022-07-14 11:49 – Updated: 2024-08-03 04:49
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:49:43.460Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-14T11:49:40.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-25802",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/index.html",
                  "refsource": "MISC",
                  "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/4.4.6",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/5.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-25802",
        "datePublished": "2022-07-14T11:49:40.000Z",
        "dateReserved": "2022-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:49:43.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-25801 (GCVE-0-2022-25801)

    Vulnerability from nvd – Published: 2022-07-14 11:44 – Updated: 2024-08-03 04:49
    VLAI
    Summary
    Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:49:43.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-14T11:44:26.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-25801",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.bestpractical.com/release-notes/rtir/index.html",
                  "refsource": "MISC",
                  "url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rtir/5.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rtir/4.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-25801",
        "datePublished": "2022-07-14T11:44:26.000Z",
        "dateReserved": "2022-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:49:43.941Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-25800 (GCVE-0-2022-25800)

    Vulnerability from nvd – Published: 2022-07-14 11:42 – Updated: 2024-08-03 04:49
    VLAI
    Summary
    Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:49:43.692Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-14T11:42:28.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-25800",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.bestpractical.com/release-notes/rtir/index.html",
                  "refsource": "MISC",
                  "url": "https://docs.bestpractical.com/release-notes/rtir/index.html"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rtir/5.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rtir/5.0.3"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rtir/4.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rtir/4.0.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-25800",
        "datePublished": "2022-07-14T11:42:28.000Z",
        "dateReserved": "2022-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:49:43.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-41076 (GCVE-0-2026-41076)

    Vulnerability from cvelistv5 – Published: 2026-05-22 21:36 – Updated: 2026-05-28 03:55
    VLAI
    Title
    RT: LDAP authentication bypass via empty password
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: < 5.0.10
    Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:46.905Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials.  This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server\u0027s authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:36:21.585Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-3w28-fmcr-mjjx",
            "discovery": "UNKNOWN"
          },
          "title": "RT: LDAP authentication bypass via empty password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41076",
        "datePublished": "2026-05-22T21:36:21.585Z",
        "dateReserved": "2026-04-16T16:43:03.175Z",
        "dateUpdated": "2026-05-28T03:55:46.905Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41075 (GCVE-0-2026-41075)

    Vulnerability from cvelistv5 – Published: 2026-05-22 21:17 – Updated: 2026-05-28 03:55
    VLAI
    Title
    RT: SQL injection via entry_aggregator parameter in JSON search
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: >= 5.0.0, < 5.0.10
    Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:45.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:17:36.063Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-7vf8-xv7w-97c6",
            "discovery": "UNKNOWN"
          },
          "title": "RT: SQL injection via entry_aggregator parameter in JSON search"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41075",
        "datePublished": "2026-05-22T21:17:36.063Z",
        "dateReserved": "2026-04-16T16:43:03.175Z",
        "dateUpdated": "2026-05-28T03:55:45.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41074 (GCVE-0-2026-41074)

    Vulnerability from cvelistv5 – Published: 2026-05-22 21:12 – Updated: 2026-05-26 18:44
    VLAI
    Title
    RT has broken CSRF protection for authenticated users
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T18:44:34.070817Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T18:44:57.087Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user\u0027s behalf. This issue has been fixed in version 6.0.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:12:41.473Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-265j-qx4w-256j",
            "discovery": "UNKNOWN"
          },
          "title": "RT has broken CSRF protection for authenticated users"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41074",
        "datePublished": "2026-05-22T21:12:41.473Z",
        "dateReserved": "2026-04-16T16:43:03.175Z",
        "dateUpdated": "2026-05-26T18:44:57.087Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41073 (GCVE-0-2026-41073)

    Vulnerability from cvelistv5 – Published: 2026-05-22 21:10 – Updated: 2026-05-23 02:57
    VLAI
    Title
    RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
    Summary
    RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical rt Affected: < 5.0.10
    Affected: >= 6.0.0, < 6.0.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41073",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-23T02:57:10.802457Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-23T02:57:38.966Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rt",
              "vendor": "bestpractical",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T21:10:22.249Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
            },
            {
              "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
            }
          ],
          "source": {
            "advisory": "GHSA-6x92-7v65-7m3r",
            "discovery": "UNKNOWN"
          },
          "title": "RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41073",
        "datePublished": "2026-05-22T21:10:22.249Z",
        "dateReserved": "2026-04-16T16:43:03.174Z",
        "dateUpdated": "2026-05-23T02:57:38.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6841 (GCVE-0-2026-6841)

    Vulnerability from cvelistv5 – Published: 2026-05-21 11:49 – Updated: 2026-05-21 12:45 X_Open Source
    VLAI
    Title
    Reflected XSS in Request Tracker
    Summary
    Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Best Practical Request Tracker Affected: 5.0.4 , < 5.0.10 (semver)
    Affected: 6.0.0 , < 6.0.3 (semver)
    Create a notification for this product.
    Date Public
    2026-05-21 10:38
    Credits
    Aleksander Iwicki (CERT Polska)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6841",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T12:42:30.866693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T12:45:14.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Request Tracker",
              "repo": "https://github.com/bestpractical/rt",
              "vendor": "Best Practical",
              "versions": [
                {
                  "lessThan": "5.0.10",
                  "status": "affected",
                  "version": "5.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.0.3",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aleksander Iwicki (CERT Polska)"
            }
          ],
          "datePublic": "2026-05-21T10:38:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u0026nbsp;6.0.2.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\n\nThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u00a06.0.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-591 Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-21T11:49:07.533Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2026/05/CVE-2026-6841"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://requesttracker.com/request-tracker/"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.10"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/6.0.3"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Reflected XSS in Request Tracker",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2026-6841",
        "datePublished": "2026-05-21T11:49:07.533Z",
        "dateReserved": "2026-04-22T07:09:40.481Z",
        "dateUpdated": "2026-05-21T12:45:14.647Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61873 (GCVE-0-2025-61873)

    Vulnerability from cvelistv5 – Published: 2026-01-16 00:00 – Updated: 2026-01-16 18:31
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical Request Tracker Affected: 0 , < 4.4.9 (custom)
    Affected: 5.0 , < 5.0.9 (custom)
    Affected: 6.0 , < 6.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61873",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-16T18:27:46.566310Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-16T18:31:10.182Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Request Tracker",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "4.4.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.0.9",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.2",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.9",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.9",
                      "versionStartIncluding": "5.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "6.0.2",
                      "versionStartIncluding": "6.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.6,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-16T18:16:17.553Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-61873",
        "datePublished": "2026-01-16T00:00:00.000Z",
        "dateReserved": "2025-10-03T00:00:00.000Z",
        "dateUpdated": "2026-01-16T18:31:10.182Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31501 (GCVE-0-2025-31501)

    Vulnerability from cvelistv5 – Published: 2025-05-28 00:00 – Updated: 2025-05-28 17:59
    VLAI
    Summary
    Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical RT Affected: 5.0.0 , < 5.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31501",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-28T17:59:24.546058Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T17:59:29.685Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RT",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "5.0.8",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.8",
                      "versionStartIncluding": "5.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-28T17:48:25.633Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-31501",
        "datePublished": "2025-05-28T00:00:00.000Z",
        "dateReserved": "2025-03-28T00:00:00.000Z",
        "dateUpdated": "2025-05-28T17:59:29.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31500 (GCVE-0-2025-31500)

    Vulnerability from cvelistv5 – Published: 2025-05-28 00:00 – Updated: 2025-05-28 17:59
    VLAI
    Summary
    Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical RT Affected: 5.0.0 , < 5.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31500",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-28T17:59:42.444191Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T17:59:47.499Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RT",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "5.0.8",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.8",
                      "versionStartIncluding": "5.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-28T17:45:41.901Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-31500",
        "datePublished": "2025-05-28T00:00:00.000Z",
        "dateReserved": "2025-03-28T00:00:00.000Z",
        "dateUpdated": "2025-05-28T17:59:47.499Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30087 (GCVE-0-2025-30087)

    Vulnerability from cvelistv5 – Published: 2025-05-28 00:00 – Updated: 2025-11-03 19:46
    VLAI
    Summary
    Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    bestpractical RT Affected: 4.4.0 , < 4.4.8 (semver)
    Affected: 5.0.0 , < 5.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-28T18:00:11.113721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T18:00:16.350Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:46:45.392Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00009.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RT",
              "vendor": "bestpractical",
              "versions": [
                {
                  "lessThan": "4.4.8",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.8",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.8",
                      "versionStartIncluding": "4.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.0.8",
                      "versionStartIncluding": "5.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-28T17:53:01.345Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.8"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-30087",
        "datePublished": "2025-05-28T00:00:00.000Z",
        "dateReserved": "2025-03-16T00:00:00.000Z",
        "dateUpdated": "2025-11-03T19:46:45.392Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-41259 (GCVE-0-2023-41259)

    Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2025-11-04 19:21
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    best_practical_solutions request_tracker Affected: 0 , < 4.4.7 (custom)
    Affected: 5x , < 5.0.5 (custom)
        cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T19:21:05.839Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00046.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "request_tracker",
                "vendor": "best_practical_solutions",
                "versions": [
                  {
                    "lessThan": "4.4.7",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.0.5",
                    "status": "affected",
                    "version": "5x",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-05T14:52:22.819347Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-05T14:54:06.765Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:14:28.149Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-41259",
        "datePublished": "2023-11-03T00:00:00.000Z",
        "dateReserved": "2023-08-25T00:00:00.000Z",
        "dateUpdated": "2025-11-04T19:21:05.839Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-41260 (GCVE-0-2023-41260)

    Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2025-11-04 19:21
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    best_practical_solutions request_tracker Affected: 0 , < 4.4.7 (custom)
    Affected: 5x , < 5.0.5 (custom)
        cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T19:21:06.955Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00046.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:best_practical_solutions:request_tracker:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "request_tracker",
                "vendor": "best_practical_solutions",
                "versions": [
                  {
                    "lessThan": "4.4.7",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.0.5",
                    "status": "affected",
                    "version": "5x",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41260",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-05T14:47:43.604407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-05T14:51:22.702Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:17:29.880Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.7"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-41260",
        "datePublished": "2023-11-03T00:00:00.000Z",
        "dateReserved": "2023-08-25T00:00:00.000Z",
        "dateUpdated": "2025-11-04T19:21:06.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-45024 (GCVE-0-2023-45024)

    Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2024-09-06 14:00
    VLAI
    Summary
    Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:19.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45024",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-06T14:00:24.225531Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-06T14:00:30.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:19:31.617Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.5"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-45024",
        "datePublished": "2023-11-03T00:00:00.000Z",
        "dateReserved": "2023-10-03T00:00:00.000Z",
        "dateUpdated": "2024-09-06T14:00:30.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-25803 (GCVE-0-2022-25803)

    Vulnerability from cvelistv5 – Published: 2022-07-14 11:51 – Updated: 2024-08-03 04:49
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:49:43.287Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-14T11:51:19.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-25803",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/index.html",
                  "refsource": "MISC",
                  "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/5.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-25803",
        "datePublished": "2022-07-14T11:51:19.000Z",
        "dateReserved": "2022-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:49:43.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-25802 (GCVE-0-2022-25802)

    Vulnerability from cvelistv5 – Published: 2022-07-14 11:49 – Updated: 2024-08-03 04:49
    VLAI
    Summary
    Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:49:43.460Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-14T11:49:40.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-25802",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/index.html",
                  "refsource": "MISC",
                  "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/4.4.6",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rt/4.4.6"
                },
                {
                  "name": "https://docs.bestpractical.com/release-notes/rt/5.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://docs.bestpractical.com/release-notes/rt/5.0.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-25802",
        "datePublished": "2022-07-14T11:49:40.000Z",
        "dateReserved": "2022-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:49:43.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }