Cross-site Scripting (XSS) Affecting request-tracker4 package, versions <4.2.11-2
Threat Intelligence
EPSS
0.28% (69th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN12-REQUESTTRACKER4-1558718
- published 3 Sep 2015
- disclosed 3 Sep 2015
How to fix?
Upgrade Debian:12 request-tracker4 to version 4.2.11-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream request-tracker4 package and not the request-tracker4 package as distributed by Debian.
See How to fix? for Debian:12 relevant fixed versions and status.
Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key.
References
- https://security-tracker.debian.org/tracker/CVE-2015-6506
- http://www.debian.org/security/2015/dsa-3335
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164607.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165124.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165163.html
- https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d
- http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html
- https://bestpractical.com/release-notes/rt/4.2.12
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-6506
CVSS Scores
version 3.1