Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors.
Debian Linux Security Advisory 2671-1 - Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.