CVE-2017-5944
high-risk
Published 2017-07-03
The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.
Do I need to act?
~
4.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Request Tracker
Affected Vendors
References (6)
Third Party Advisory
http://www.debian.org/security/2017/dsa-3882
Third Party Advisory
http://www.securityfocus.com/bid/99381
Third Party Advisory
http://www.debian.org/security/2017/dsa-3882
Third Party Advisory
http://www.securityfocus.com/bid/99381
61
/ 100
high-risk
Severity
30/34 · Critical
Exploitability
7/34 · Low
Exposure
24/34 · High