git: 57818171650b - main - security/vuxml: Add rt44, rt50 and rt60 vulnerabilities

From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Thu, 23 Oct 2025 15:33:18 UTC 
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=57818171650b0186170f4c7e2f2903b6aba76b23

commit 57818171650b0186170f4c7e2f2903b6aba76b23
Author:     Einar Bjarni Halldórsson <einar@isnic.is>
AuthorDate: 2025-10-23 14:58:06 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2025-10-23 15:33:05 +0000

    security/vuxml: Add rt44, rt50 and rt60 vulnerabilities
    
     * CVE-2025-9158
     * CVE-2025-61873
    
    PR:             290436
    Report by:      Einar Bjarni Halldórsson <einar@isnic.is>
---
 security/vuxml/vuln/2025.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 19b04e164747..bc28d678e584 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,66 @@
+  <vuln vid="269c2de7-afaa-11f0-b4c8-792b26d8a051">
+    <topic>RT -- XSS via calendar invitations</topic>
+    <affects>
+      <package>
+       <name>rt60</name>
+       <name>rt50</name>
+       <range><ge>6.0.0</ge><lt>6.0.2</lt></range>
+       <range><ge>5.0.4</ge><lt>5.0.9</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+      <p>Mateusz Szymaniec and CERT Polska Reports:</p>
+      <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2">
+       <p>RT is vulnerable to XSS via calendar invitations added to a
+       ticket. Thanks to Mateusz Szymaniec and CERT Polska for
+       reporting this finding.</p>
+      </blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2025-9158</cvename>
+      <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url>
+    </references>
+    <dates>
+      <discovery>2025-10-23</discovery>
+      <entry>2025-10-23</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="b374df95-afa8-11f0-b4c8-792b26d8a051">
+    <topic>RT -- CSV injection</topic>
+    <affects>
+      <package>
+       <name>rt60</name>
+       <name>rt50</name>
+       <name>rt44</name>
+       <range><ge>6.0.0</ge><lt>6.0.2</lt></range>
+       <range><ge>5.0.0</ge><lt>5.0.9</lt></range>
+       <range><ge>4.4.0</ge><lt>4.4.9</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+      <p>Gareth Watkin-Jones from 4armed reports:</p>
+      <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2">
+       <p>RT is vulnerable to CSV injection via ticket values with
+       special characters that are exported to a TSV from search
+       results. Thanks to Gareth Watkin-Jones from 4armed for
+       reporting this finding.</p>
+      </blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2025-61873</cvename>
+      <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url>
+    </references>
+    <dates>
+      <discovery>2025-10-23</discovery>
+      <entry>2025-10-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="114cc98b-afad-11f0-af12-bc241121aa0a">
     <topic>FreeBSD -- SO_REUSEPORT_LB breaks connect(2) for UDP sockets</topic>
     <affects>