CVE-2023-45024 in Request Tracker
Summary
by MITRE • 11/03/2023
Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2023-45024 affects Best Practical Request Tracker version 5.0.4 and earlier, representing a significant information disclosure weakness within the transaction query builder component. This flaw enables unauthorized access to sensitive data through transaction search operations, potentially exposing confidential information to malicious actors who can exploit the vulnerability without requiring elevated privileges.
The technical implementation of this vulnerability stems from inadequate input validation and access control mechanisms within the transaction query builder functionality. When users perform searches through the transaction query interface, the system fails to properly sanitize or restrict query parameters, allowing attackers to construct malicious search queries that can retrieve data beyond their authorized scope. This issue manifests as an insufficient authorization check that permits users to access transaction records they should not be permitted to view, creating a path for information disclosure attacks.
The operational impact of this vulnerability extends beyond simple data exposure, as it can lead to comprehensive compromise of the request tracking system's integrity and confidentiality. Attackers can leverage this weakness to gather detailed information about system transactions, potentially including user credentials, sensitive business data, communication logs, and other confidential records that should remain protected within the RT environment. The vulnerability affects all users of the affected RT versions regardless of their role or permissions, making it particularly dangerous in multi-user environments where different levels of access should be maintained.
Organizations utilizing RT versions prior to 5.0.5 face substantial risk from this information disclosure vulnerability, as it can enable adversaries to conduct reconnaissance activities and gather intelligence about system operations and user activities. The flaw aligns with CWE-200, which addresses information exposure, and represents a specific instance of inadequate access control within web applications. Security professionals should note that this vulnerability can be exploited through standard web browser interfaces without requiring specialized tools or deep technical knowledge, making it particularly attractive to threat actors seeking quick wins in their attack campaigns.
The recommended mitigation strategy involves immediate upgrade to RT version 5.0.5 or later, which includes proper input validation and access control enhancements that address the root cause of this vulnerability. Organizations should also implement additional monitoring of transaction query activities to detect anomalous search patterns that might indicate exploitation attempts. Security teams should review and validate existing access controls within their RT deployments to ensure that users cannot access unauthorized data through alternative pathways, while also considering network-level protections such as web application firewalls that can help detect and block malicious query construction attempts. The vulnerability demonstrates the critical importance of proper input sanitization and access control enforcement in preventing information disclosure attacks that can compromise entire systems.