CVE-2016-6127

NameCVE-2016-6127
DescriptionCross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-987-1, DSA-3882-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
request-tracker4 (PTS)buster, buster (security)4.4.3-2+deb10u2fixed
bullseye (security), bullseye4.4.4+dfsg-2+deb11u2fixed
bookworm, sid4.4.6+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
request-tracker4sourcewheezy4.0.7-5+deb7u5DLA-987-1
request-tracker4sourcejessie4.2.8-3+deb8u2DSA-3882-1
request-tracker4sourcestretch4.4.1-3+deb9u1DSA-3882-1
request-tracker4source(unstable)4.4.1-4

Search for package or bug name: Reporting problems