Launchpad.net

CVE 2015-1464

RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.

See the CVE page on Mitre.org for more details.

References