CVE-2013-5587
Published: 23 August 2013
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.
Notes
| Author | Note |
|---|---|
| seth-arnold | See also CVE-2013-3371; 3.8 marked not-affected here |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
request-tracker3.8 Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
|
| precise |
Not vulnerable
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
request-tracker4 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Ignored
(end of life)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Not vulnerable
(4.0.13-1)
|
|
| trusty |
Does not exist
(trusty was not-affected [4.0.19-1])
|
|
| upstream |
Released
(4.0.13)
|
|
| utopic |
Not vulnerable
(4.0.19-1)
|
|
| vivid |
Not vulnerable
(4.0.19-1)
|
|
| wily |
Not vulnerable
(4.0.19-1)
|
|
| xenial |
Not vulnerable
(4.0.19-1)
|
|
| yakkety |
Not vulnerable
(4.0.19-1)
|
|
| zesty |
Not vulnerable
(4.0.19-1)
|
References
- http://www.debian.org/security/2013/dsa-2670
- http://secunia.com/advisories/53522
- http://secunia.com/advisories/53505
- http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html
- http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html
- http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html
- https://www.cve.org/CVERecord?id=CVE-2013-5587
- NVD
- Launchpad
- Debian