Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and custom lifecycle transition permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Rt | Bestpractical | 4.0.0 (including) | 4.0.0 (including) |
| Rt | Bestpractical | 4.0.0-rc1 (including) | 4.0.0-rc1 (including) |
| Rt | Bestpractical | 4.0.0-rc2 (including) | 4.0.0-rc2 (including) |
| Rt | Bestpractical | 4.0.0-rc3 (including) | 4.0.0-rc3 (including) |
| Rt | Bestpractical | 4.0.0-rc4 (including) | 4.0.0-rc4 (including) |
| Rt | Bestpractical | 4.0.0-rc5 (including) | 4.0.0-rc5 (including) |
| Rt | Bestpractical | 4.0.0-rc6 (including) | 4.0.0-rc6 (including) |
| Rt | Bestpractical | 4.0.0-rc7 (including) | 4.0.0-rc7 (including) |
| Rt | Bestpractical | 4.0.0-rc8 (including) | 4.0.0-rc8 (including) |
| Rt | Bestpractical | 4.0.1 (including) | 4.0.1 (including) |
| Rt | Bestpractical | 4.0.1-rc1 (including) | 4.0.1-rc1 (including) |
| Rt | Bestpractical | 4.0.1-rc2 (including) | 4.0.1-rc2 (including) |
| Rt | Bestpractical | 4.0.2 (including) | 4.0.2 (including) |
| Rt | Bestpractical | 4.0.2-rc1 (including) | 4.0.2-rc1 (including) |
| Rt | Bestpractical | 4.0.2-rc2 (including) | 4.0.2-rc2 (including) |
| Rt | Bestpractical | 4.0.3 (including) | 4.0.3 (including) |
| Rt | Bestpractical | 4.0.10 (including) | 4.0.10 (including) |
| Rt | Bestpractical | 4.0.11 (including) | 4.0.11 (including) |
| Rt | Bestpractical | 4.0.12 (including) | 4.0.12 (including) |
| Request-tracker4 | Ubuntu | precise | * |
| Request-tracker4 | Ubuntu | quantal | * |
| Request-tracker4 | Ubuntu | raring | * |
| Request-tracker4 | Ubuntu | upstream | * |