CVE-2023-41259

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Best Practical Request Tracker (RT) versions 4.4.6 and earlier Best Practical Request Tracker (RT) versions 5.0.4 and earlier

Description The issue allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. This is due to insufficient cleaning of user-provided data when processing email headers. Exploitation of the issue may allow a remote attacker to execute arbitrary HTML code by sending a specially crafted email message.

Recommendations For versions 4.4.6 and earlier, update to version 4.4.7 or later. For versions 5.0.4 and earlier, update to version 5.0.5 or later. As a temporary workaround, consider restricting access to the mail-gateway REST API call until a patch is available.

Fix

Information Disclosure

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-79

Related Identifiers

BDU:2023-07488

BDU:2023-07509

CVE-2023-41259

DLA-3642-1

DSA-5541-1

DSA-5542-1

USN-6529-1

USN-7692-1

Affected Products

Linuxmint

Request Tracker

Ubuntu

CVE-2023-41259

Weakness Enumeration

Related Identifiers

Affected Products

References · 43