Bug 538173 (CVE-2009-3892)

Summary: CVE-2009-3892 Request Tracker XSS flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rc040203, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3892
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 02:40:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 538174, 538175, 538176, 538177    
Bug Blocks:    

Description Josh Bressers 2009-11-17 20:20:28 UTC 
Cross-site scripting (XSS) vulnerability in Best Practical Solutions
RT 3.6.x before 3.6.9, 3.8.x before 3.8.5, and other 3.4.6 through
3.8.4 versions allows remote attackers to inject arbitrary web script
or HTML via certain Custom Fields.

Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/15/1
Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/16/4
Reference: URL:http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html
Reference: URL:http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000173.html
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546778
Comment 1 Josh Bressers 2009-11-17 20:21:10 UTC 
Created rt3 tracking bugs for this issue

CVE-2009-3892 Affects: F10 [bug #538174]
CVE-2009-3892 Affects: F11 [bug #538175]
CVE-2009-3892 Affects: F12 [bug #538176]
CVE-2009-3892 Affects: Fdevel [bug #538177]
Comment 2 Ralf Corsepius 2009-11-18 02:40:08 UTC 
This issue had been addressed ca 4 weeks ago and had been tracked as 
BZ526870

Then, rawhide had been upgraded to rt3.8.5, while the patch posted in
http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html
had been applied to FC < 12.

*** This bug has been marked as a duplicate of bug 526870 ***