All versions of RT are vulnerable to an email header injection
attack. Users with ModifySelf or AdminUser can cause RT to add
arbitrary headers or content to outgoing mail. Depending on the
scrips that are configured, this may be be leveraged for information
leakage or phishing.
RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability
due to lack of proper rights checking, allowing any privileged user
to create Articles in any class.
All versions of RT with cross-site-request forgery (CSRF)
protection (RT 3.8.12 and above, RT 4.0.6 and above, and any
instances running the security patches released 2012-05-22) contain
a vulnerability which incorrectly allows though CSRF requests which
toggle ticket bookmarks.
All versions of RT are vulnerable to a confused deputy attack on
the user. While not strictly a CSRF attack, users who are not logged
in who are tricked into following a malicious link may, after
supplying their credentials, be subject to an attack which leverages
their credentials to modify arbitrary state. While users who were
logged in would have observed the CSRF protection page, users who
were not logged in receive no such warning due to the intervening
login process. RT has been extended to notify users of pending
actions during the login process.
RT 3.8.0 and above are susceptible to a number of vulnerabilities
concerning improper signing or encryption of messages using GnuPG;
if GnuPG is not enabled, none of the following affect you.