PT-2025-43582 · Unknown · Request Tracker
Mateusz Szymaniec
·
Published
2025-10-22
·
Updated
2025-12-23
·
CVE-2025-9158
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Request Tracker versions 5.0.4 through 5.0.8
Request Tracker versions 6.0.0 through 6.0.1
Description
The Request Tracker software contains a Stored Cross-Site Scripting (XSS) issue within the calendar invitation parsing feature. The software displays invitation data without proper HTML sanitization, allowing an attacker to execute JavaScript code by sending a crafted email. This execution occurs when a logged-in user views the ticket. The
calendar invitation parsing feature is the component affected.Recommendations
Request Tracker versions 5.0.4 through 5.0.8 should be updated.
Request Tracker versions 6.0.0 through 6.0.1 should be updated.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Request Tracker