{"id":"CVE-2017-5944","details":"The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.","modified":"2026-07-08T11:35:05.771691Z","published":"2017-07-03T16:29:00.543Z","references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3882"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99381"},{"type":"ADVISORY","url":"https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bestpractical/rt","events":[{"introduced":"e77f11b09699ecc530f747d2fdc027ad331206dc"},{"last_affected":"0bba58cfa361491dc0c43c66bf7a04fe2a7ab2b4"}],"database_specific":{"source":"CPE_STRING","cpe":["cpe:2.3:a:bestpractical:request_tracker:4.0.0:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.2:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.3:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.4:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.5:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.6:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.7:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.8:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.9:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.10:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.11:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.12:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.13:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.14:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.15:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.16:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.17:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.18:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.19:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.20:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.21:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.22:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.23:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.0.24:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.0:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.1:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.8:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.9:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.10:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.11:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.12:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.2.13:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.4.0:*:*:*:*:*:*:*","cpe:2.3:a:bestpractical:request_tracker:4.4.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"4.0.0"},{"last_affected":"4.0.0"},{"introduced":"4.0.1"},{"last_affected":"4.0.1"},{"introduced":"4.0.2"},{"last_affected":"4.0.2"},{"introduced":"4.0.3"},{"last_affected":"4.0.3"},{"introduced":"4.0.4"},{"last_affected":"4.0.4"},{"introduced":"4.0.5"},{"last_affected":"4.0.5"},{"introduced":"4.0.6"},{"last_affected":"4.0.6"},{"introduced":"4.0.7"},{"last_affected":"4.0.7"},{"introduced":"4.0.8"},{"last_affected":"4.0.8"},{"introduced":"4.0.9"},{"last_affected":"4.0.9"},{"introduced":"4.0.10"},{"last_affected":"4.0.10"},{"introduced":"4.0.11"},{"last_affected":"4.0.11"},{"introduced":"4.0.12"},{"last_affected":"4.0.12"},{"introduced":"4.0.13"},{"last_affected":"4.0.13"},{"introduced":"4.0.14"},{"last_affected":"4.0.14"},{"introduced":"4.0.15"},{"last_affected":"4.0.15"},{"introduced":"4.0.16"},{"last_affected":"4.0.16"},{"introduced":"4.0.17"},{"last_affected":"4.0.17"},{"introduced":"4.0.18"},{"last_affected":"4.0.18"},{"introduced":"4.0.19"},{"last_affected":"4.0.19"},{"introduced":"4.0.20"},{"last_affected":"4.0.20"},{"introduced":"4.0.21"},{"last_affected":"4.0.21"},{"introduced":"4.0.22"},{"last_affected":"4.0.22"},{"introduced":"4.0.23"},{"last_affected":"4.0.23"},{"introduced":"4.0.24"},{"last_affected":"4.0.24"},{"introduced":"4.2.0"},{"last_affected":"4.2.0"},{"introduced":"4.2.1"},{"last_affected":"4.2.1"},{"introduced":"4.2.2"},{"last_affected":"4.2.2"},{"introduced":"4.2.3"},{"last_affected":"4.2.3"},{"introduced":"4.2.4"},{"last_affected":"4.2.4"},{"introduced":"4.2.5"},{"last_affected":"4.2.5"},{"introduced":"4.2.6"},{"last_affected":"4.2.6"},{"introduced":"4.2.7"},{"last_affected":"4.2.7"},{"introduced":"4.2.8"},{"last_affected":"4.2.8"},{"introduced":"4.2.9"},{"last_affected":"4.2.9"},{"introduced":"4.2.10"},{"last_affected":"4.2.10"},{"introduced":"4.2.11"},{"last_affected":"4.2.11"},{"introduced":"4.2.12"},{"last_affected":"4.2.12"},{"introduced":"4.2.13"},{"last_affected":"4.2.13"},{"introduced":"4.4.0"},{"last_affected":"4.4.0"},{"introduced":"4.4.1"},{"last_affected":"4.4.1"}]}}],"versions":["4.0.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.17","4.0.18","4.0.19","4.0.2","4.0.20","4.0.21","4.0.22","4.0.23","4.0.24","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.2.0","4.2.1","4.2.10","4.2.11","4.2.12","4.2.13","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.4.0","4.4.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5944.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}