CVE-2012-4733 Information

Description

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and \custom lifecycle transition\ permission which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors.

Reference

http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html http://secunia.com/advisories/53522 http://www.osvdb.org/93611