[VIM] vendor dispute - CVE-2013-3525 / Request Tracker SQL injection
Christey, Steven M.
coley at mitre.org
Wed May 15 08:53:23 CDT 2013
The Request Tracker vendor has disputed CVE-2013-3525. The following vendor comment will be in NVD shortly:
Request Tracker is not vulnerable to the "exploit" detailed in
CVE-2013-3525. We were unable to replicate it, and the
individual that reported it retracted their report  on April
19th. Thus, this CVE should be considered an erroneous
vulnerability report. For additional information, see our blog
post on the topic.
Note that the PacketStorm reference has been removed.
** DISPUTED **
SQL injection vulnerability in Approvals/ in Request Tracker (RT)
4.0.10 and earlier allows remote attackers to execute arbitrary SQL
commands via the ShowPending parameter. NOTE: the vendor disputes
this issue, stating "We were unable to replicate it, and the
individual that reported it retracted their report," and "we had
verified that the claimed exploit did not function according to the
More information about the VIM