Best Practical Request Tracker Stored Cross-Site Scripting Vulnerability in Calendar Invitation Parsing

A stored cross-site scripting vulnerability has been identified in Best Practical Request Tracker versions 5.0.4 through 5.0.8 and 6.0.0 through 6.0.1. This vulnerability arises in the calendar invitation parsing feature, which displays invitation data without proper HTML sanitization. As a result, an attacker can send a specially crafted email that executes JavaScript code by displaying the ticket in the context of the logged-in user.

Impact

Exploitation of this vulnerability allows for the execution of malicious JavaScript in the context of the affected user.