Skip to main content

Rt CVE-2013-5587

LOW
Cross-site Scripting (XSS) (CWE-79)
2013-08-23 cve@mitre.org
2.6
CVSS 2.0 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:N/AC:H/Au:N/C:N/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:H/Au:N/C:N/I:P/A:N
Attack Vector
Network
Attack Complexity
High
Confidentiality
None
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 23, 2013 - 16:55 cve.org
LOW 2.6

DescriptionCVE.org

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions. Affected products include: Bestpractical Rt. Version information: before 4.0.13.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Rt

View all
CVE-2026-41075 HIGH
8.8 May 22

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6

CVE-2026-41076 HIGH
8.1 May 22

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows

CVE-2026-41074 HIGH
7.1 May 22

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers t

CVE-2013-3370 MEDIUM
6.8 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback c

CVE-2012-4732 MEDIUM
6.8 Nov 11

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0

CVE-2013-3369 MEDIUM
6.0 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions

CVE-2012-4733 MEDIUM
6.0 Aug 23

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" perm

CVE-2014-1474 MEDIUM
5.0 Jul 15

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remo

CVE-2013-3373 MEDIUM
5.0 Aug 23

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers

CVE-2012-4884 MEDIUM
5.0 Nov 11

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attack

CVE-2012-4734 MEDIUM
5.0 Nov 11

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" a

CVE-2026-41073 MEDIUM
4.6 May 22

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to e

Share

CVE-2013-5587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy