CVE-2013-3525

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.6.8:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.6.10:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.6.11:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.3:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.4:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.7:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.9:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.10:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.11:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.12:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.13:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.14:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.15:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:3.8.16:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.4:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.5:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.6:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.7:*:*:*:*:*:*:*
cpe:2.3:a:bestpractical:request_tracker:4.0.8:*:*:*:*:*:*:*

History

21 Nov 2024, 01:53

Type Values Removed Values Added
References () http://blog.bestpractical.com/2013/04/on-our-security-policies.html - () http://blog.bestpractical.com/2013/04/on-our-security-policies.html -
References () http://cxsecurity.com/issue/WLB-2013040083 - Exploit () http://cxsecurity.com/issue/WLB-2013040083 - Exploit
References () http://osvdb.org/92265 - () http://osvdb.org/92265 -
References () http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html - () http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html -
References () http://www.securityfocus.com/bid/59022 - Exploit () http://www.securityfocus.com/bid/59022 - Exploit
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/83375 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/83375 -

07 Nov 2023, 02:15

Type Values Removed Values Added
Summary ** DISPUTED ** SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims." SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.

Information

Published : 2013-05-10 21:55

Updated : 2024-11-21 01:53


NVD link : CVE-2013-3525

Mitre link : CVE-2013-3525

CVE.ORG link : CVE-2013-3525


JSON object : View

Products Affected

bestpractical

  • request_tracker
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')