Vulnerability Description
SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bestpractical | Request Tracker | <= 4.0.9 |
Related Weaknesses (CWE)
References
- http://blog.bestpractical.com/2013/04/on-our-security-policies.html
- http://cxsecurity.com/issue/WLB-2013040083Exploit
- http://osvdb.org/92265
- http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Inject
- http://www.securityfocus.com/bid/59022Exploit
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83375
- http://blog.bestpractical.com/2013/04/on-our-security-policies.html
- http://cxsecurity.com/issue/WLB-2013040083Exploit
- http://osvdb.org/92265
- http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Inject
- http://www.securityfocus.com/bid/59022Exploit
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83375
FAQ
What is CVE-2013-3525?
CVE-2013-3525 is a vulnerability with a CVSS score of 7.5 (HIGH). SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes...
How severe is CVE-2013-3525?
CVE-2013-3525 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-3525?
Check the references section above for vendor advisories and patch information. Affected products include: Bestpractical Request Tracker.