FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

RT -- CSV injection

Affected packages
6.0.0 <= rt44 < 6.0.2
5.0.0 <= rt44 < 5.0.9
4.4.0 <= rt44 < 4.4.9
6.0.0 <= rt50 < 6.0.2
5.0.0 <= rt50 < 5.0.9
4.4.0 <= rt50 < 4.4.9
6.0.0 <= rt60 < 6.0.2
5.0.0 <= rt60 < 5.0.9
4.4.0 <= rt60 < 4.4.9

Details

VuXML ID b374df95-afa8-11f0-b4c8-792b26d8a051
Discovery 2025-10-23
Entry 2025-10-23

Gareth Watkin-Jones from 4armed reports:

RT is vulnerable to CSV injection via ticket values with special characters that are exported to a TSV from search results. Thanks to Gareth Watkin-Jones from 4armed for reporting this finding.

[source]

References

CVE Name CVE-2025-61873
URL https://github.com/bestpractical/rt/releases/tag/rt-6.0.2

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.