FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

RT -- two XSS vulnerabilities

Affected packages
4.2.0 <= rt42 < 4.2.12
4.0.0 <= rt40 < 4.0.24

Details

VuXML ID 83b38a2c-413e-11e5-bfcf-6805ca0b3d42
Discovery 2015-08-12
Entry 2015-08-12
Modified 2015-08-18

Best Practical reports:

RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopec at Data Reliance Shared Service Center.

RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack via the cryptography interface. This vulnerability could allow an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected.

[source]

References

CVE Name CVE-2015-5475
CVE Name CVE-2015-6506
URL http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.