Cross-site scripting (XSS) vulnerability in Best Practical Solutions RT 3.6.x before 3.6.9, 3.8.x before 3.8.5, and other 3.4.6 through 3.8.4 versions allows remote attackers to inject arbitrary web script or HTML via certain Custom Fields. Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/15/1 Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/16/4 Reference: URL:http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html Reference: URL:http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000173.html Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546778
Created rt3 tracking bugs for this issue CVE-2009-3892 Affects: F10 [bug #538174] CVE-2009-3892 Affects: F11 [bug #538175] CVE-2009-3892 Affects: F12 [bug #538176] CVE-2009-3892 Affects: Fdevel [bug #538177]
This issue had been addressed ca 4 weeks ago and had been tracked as BZ526870 Then, rawhide had been upgraded to rt3.8.5, while the patch posted in http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html had been applied to FC < 12. *** This bug has been marked as a duplicate of bug 526870 ***