Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors.
Debian Linux Security Advisory 2671-1 - Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.