CVE-2013-3525

critical

Description

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/83375

http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html

http://osvdb.org/92265

http://blog.bestpractical.com/2013/04/on-our-security-policies.html

Details

Source: Mitre, NVD

Published: 2013-05-10

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.0277