Request Tracker exposes a reflected cross‑site scripting (XSS) flaw through the GET parameter "Page". When a victim opens a crafted URL, the application reflects that parameter without proper sanitization, allowing arbitrary JavaScript to run in the victim’s browser. This can lead to credential theft, session hijacking, or site defacement. The weakness is a classic cross‑site scripting vulnerability (CWE‑79) that directly impacts the confidentiality and integrity of the victim’s session.

The vulnerable product is Best Practical’s Request Tracker. All releases from 5.0.4 to 5.0.9 and from 6.0.0 to 6.0.2 are affected. Administrators should update to at least version 5.0.10 or 6.0.3, which contain the remediation, or to any later release that builds on those security patches.

The CVSS score of 5.1 indicates medium severity, and while EPSS data is not available, the flaw requires only that a user visit a malformed URL. The likely attack vector is a victim‑driven click on a malicious or socially engineered link, which can occur via phishing or compromised internal sites. Because the vulnerability enables arbitrary JavaScript execution in the browser context, an attacker can gain the victim’s session token or perform other malicious actions. The flaw is not currently listed in the CISA KEV catalog, suggesting no widespread exploit campaign has been documented, but the potential for misuse remains, warranting prompt remediation.