CVE-2013-3525

CVSS V2 High 7.5 CVSS V3 None
Description
** DISPUTED ** SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims."
Overview
  • CVE ID
  • CVE-2013-3525
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2013-05-10T21:55:02
  • Last Modified Date
  • 2017-08-29T01:33:24
Weakness Enumerations
CWE URL
CWE-89 http://cwe.mitre.org/data/definitions/89.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:* 1 OR 4.0.9
cpe:2.3:a:bestpractical:request_tracker:3.6.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.6.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.6.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:3.8.16:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:bestpractical:request_tracker:4.0.8:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
References
Reference URL Reference Tags
http://www.securityfocus.com/bid/59022 Exploit
http://osvdb.org/92265
http://cxsecurity.com/issue/WLB-2013040083 Exploit
http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
http://blog.bestpractical.com/2013/04/on-our-security-policies.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/83375
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2013-3525
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3525
History
Created Old Value New Value Data Type Notes
2022-05-10 08:46:22 Added to TrackCVE
2022-12-01 18:30:25 2013-05-10T21:55Z 2013-05-10T21:55:02 CVE Published Date updated
2022-12-01 18:30:25 2017-08-29T01:33:24 CVE Modified Date updated
2022-12-01 18:30:25 Modified Vulnerability Status updated