VIR Vulnerability Intelligence Relay

CVE-2016-6127

medium
Published 2017-07-03 · Modified 2026-05-13
CVSS v3
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v2
4.3
VIR risk
6.1

Description

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use, allows remote attackers to inject arbitrary web script or HTML via a file upload with an unspecified content type.

Predictions

Exploit likelihood
71%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-6127

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed4.4.1-4
debian debianbullseyefixed4.4.1-4

Application impact
VendorProductVersionsFixed
bestpracticalrequest_tracker4.0.0
bestpracticalrequest_tracker4.0.1
bestpracticalrequest_tracker4.0.2
bestpracticalrequest_tracker4.0.3
bestpracticalrequest_tracker4.0.4
bestpracticalrequest_tracker4.0.5
bestpracticalrequest_tracker4.0.6
bestpracticalrequest_tracker4.0.7
bestpracticalrequest_tracker4.0.8
bestpracticalrequest_tracker4.0.9
bestpracticalrequest_tracker4.0.10
bestpracticalrequest_tracker4.0.11
bestpracticalrequest_tracker4.0.12
bestpracticalrequest_tracker4.0.13
bestpracticalrequest_tracker4.0.14
bestpracticalrequest_tracker4.0.15
bestpracticalrequest_tracker4.0.16
bestpracticalrequest_tracker4.0.17
bestpracticalrequest_tracker4.0.18
bestpracticalrequest_tracker4.0.19
bestpracticalrequest_tracker4.0.20
bestpracticalrequest_tracker4.0.21
bestpracticalrequest_tracker4.0.22
bestpracticalrequest_tracker4.0.23
bestpracticalrequest_tracker4.0.24
bestpracticalrequest_tracker4.2.0
bestpracticalrequest_tracker4.2.1
bestpracticalrequest_tracker4.2.2
bestpracticalrequest_tracker4.2.3
bestpracticalrequest_tracker4.2.4
bestpracticalrequest_tracker4.2.5
bestpracticalrequest_tracker4.2.6
bestpracticalrequest_tracker4.2.7
bestpracticalrequest_tracker4.2.8
bestpracticalrequest_tracker4.2.9
bestpracticalrequest_tracker4.2.10
bestpracticalrequest_tracker4.2.11
bestpracticalrequest_tracker4.2.12
bestpracticalrequest_tracker4.2.13
bestpracticalrequest_tracker4.4.0
bestpracticalrequest_tracker4.4.1

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.