CVE-2025-31500: 
Linux Debian vulnerability analysis and mitigation

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows Cross-Site Scripting (XSS) via JavaScript injection in an Asset name. The vulnerability was discovered by Benjamin Vermunicht and Elias Bout of the NATO Cyber Security Centre (NCSC) and was assigned CVE-2025-31500. The issue was disclosed on May 28, 2025, and affects Request Tracker versions from 5.0.0 to 5.0.7 (NVD, RT Release Notes).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The attack vector is network-based, with low attack complexity and requires no privileges. However, it does require user interaction. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

If exploited, this vulnerability could allow attackers to execute malicious JavaScript code in the context of other users' browsers when they view an asset with an infected name. This could lead to unauthorized access to sensitive information and potential manipulation of the application's functionality within the scope of the affected user's session (NVD).

The vulnerability has been patched in Request Tracker version 5.0.8, released on April 29, 2025. Users are advised to upgrade to this version to address the security issue. The fix includes improvements to input validation for asset names (RT Release Notes).