CVE-2025-30087 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-30087?

CVE-2025-30087 has a CVSS score of 7.2 (HIGH). This cross-site scripting (XSS) vulnerability in Best Practical RT allows attackers to inject malicious scripts into search URLs. When users view search results containing crafted parameters, the scripts execute in their browsers. This affects RT versions 4.4 through 4.4.7 and 5.0 through 5.0.7.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in Best Practical RT allows attackers to inject malicious scripts into search URLs. When users view search results containing crafted parameters, the scripts execute in their browsers. This affects RT versions 4.4 through 4.4.7 and 5.0 through 5.0.7.

💻 Affected Systems

Products:

Best Practical Request Tracker (RT)

Versions: 4.4 through 4.4.7, 5.0 through 5.0.7

Operating Systems: All platforms running affected RT versions

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

Request Tracker by Bestpractical

View all CVEs affecting Request Tracker →

Request Tracker by Bestpractical

View all CVEs affecting Request Tracker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts.

🟠

Likely Case

Session hijacking, credential theft, or defacement of search result pages.

🟢

If Mitigated

Limited impact with proper content security policies and input validation controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, especially when unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.8 and 5.0.8

Vendor Advisory: https://docs.bestpractical.com/release-notes/rt/index.html

Restart Required: Yes

Instructions:

1. Backup your RT installation and database. 2. Download RT 4.4.8 or 5.0.8 from Best Practical. 3. Follow the upgrade instructions for your version. 4. Restart your web server and RT services.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side filtering of search parameters to remove or encode special characters.

# Requires custom code modification to RT's search handler

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources.

# Add to web server config: Content-Security-Policy: default-src 'self'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS patterns in search parameters.
Disable or restrict search functionality for unauthenticated users if possible.

🔍 How to Verify

Check if Vulnerable:

Check your RT version against affected ranges. Test by attempting to inject basic XSS payloads in search parameters.

Check Version:

rt-crontool --version or check RT_SiteConfig.pm

Verify Fix Applied:

Verify installation of RT 4.4.8 or 5.0.8. Test that XSS payloads in search parameters are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual search queries with script tags or JavaScript code
Multiple failed search attempts with special characters

Network Indicators:

HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads

SIEM Query:

web.url:*search* AND (web.param:*<script>* OR web.param:*javascript:* OR web.param:*%3Cscript%3E*)

📊 Metadata

CVE ID: CVE-2025-30087

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (21.5th percentile)

Published: May 28, 2025

Last Updated: November 3, 2025

🔗 References

https://docs.bestpractical.com/release-notes/rt/4.4.8 Release Notes
https://docs.bestpractical.com/release-notes/rt/5.0.8 Release Notes
https://docs.bestpractical.com/release-notes/rt/index.html Release Notes
https://lists.debian.org/debian-lts-announce/2025/05/msg00009.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30087, you might also want to check these: