A security flaw was found in the way the RT3 ticketing
system handled resubmitting of form data after the user
has logged out of the browser (but not closed it).
A local attacker could use this flaw to access the user
account of the victim (login without providing a password
or obtain user credentials).
Upstream bug report:
This issue affects the versions of the rt3 package, as shipped with
Fedora release of 13 and 14.
This issue affects the version of the rt3 package, as present within
This was assigned CVE-2011-1007:
Created rt3 tracking bugs for this issue
Affects: fedora-all [bug 680218]
Affects: epel-6 [bug 680217]
rt3-3.6.11-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Current Fedora/EPEL6 have 3.8.13 so are fixed.