Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users with ModifySelf or AdminUser privileges to inject arbitrary email headers and conduct phishing. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.
Privilege Escalation
Rt
NVD
CVSS 2.0
3.5
EPSS
0.2%