Ubuntu
request-tracker5 package

update to rt-5.0.3 due to CVE-2022-25802

Bug #2003565 reported by Florian Wolff on 2023-01-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	request-tracker5 (Ubuntu)	New	Undecided	Unassigned

Bug Description

RT is vulnerable to cross-site scripting (XSS) when displaying
attachment content with fraudulent content types.
This is fixed in 5.0.3, so Maintainer, please provide upgraded packages asap.

CVE References

2022-25802

Florian Wolff (flocom) on 2023-01-20

information type:

Private Security → Public

Revision history for this message

Andrew Ruthven (andrew-etc) wrote on 2023-02-04:

This is the commit which fixes this issue in case the Ubuntu dev's only want to fix the security issue: https://github.com/bestpractical/rt/commit/7986fd798df5d055ea2ff9f74207631ab307cfc8

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubunturequest-tracker5 package