Candidate: CVE-2016-6127
PublicDate: 2017-07-03 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6127
Description:
 Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before
 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the
 AlwaysDownloadAttachments config setting is not in use, allows remote
 attackers to inject arbitrary web script or HTML via a file upload with an
 unspecified content type.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_request-tracker4:
 upstream: https://github.com/bestpractical/rt/commit/aebb36bdf32cf1166d945403ab0bae8e034434a9
upstream_request-tracker4: released (4.4.1-4)
precise/esm_request-tracker4: DNE
trusty_request-tracker4: ignored (reached end-of-life)
trusty/esm_request-tracker4: DNE (trusty was needed)
vivid/ubuntu-core_request-tracker4: DNE
xenial_request-tracker4: ignored (end of standard support, was needed)
yakkety_request-tracker4: ignored (reached end-of-life)
zesty_request-tracker4: released (4.4.1-3+deb9u2build0.17.04.1)
artful_request-tracker4: not-affected (4.4.1-4)
bionic_request-tracker4: not-affected (4.4.1-4)
cosmic_request-tracker4: not-affected (4.4.1-4)
disco_request-tracker4: not-affected (4.4.1-4)
eoan_request-tracker4: not-affected (4.4.1-4)
focal_request-tracker4: not-affected (4.4.1-4)
groovy_request-tracker4: not-affected (4.4.1-4)
hirsute_request-tracker4: not-affected (4.4.1-4)
impish_request-tracker4: not-affected (4.4.1-4)
jammy_request-tracker4: not-affected (4.4.1-4)
devel_request-tracker4: not-affected (4.4.1-4)