Bugzilla Information Disclosure And Cross-Site Scripting Vulnerabilities Network Vulnerability

Summary

The host is running Bugzilla and is prone to information disclosure and cross site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attackers to gain sensitive information and execute arbitrary HTML and script code in a users browser session in context of an affected site. Impact Level: Application

Solution

Upgrade to Bugzilla 3.6.13, 4.0.10, 4.2.5, 4.4rc2 or later, For updates refer to http://www.bugzilla.org/download/

Insight

- Input passed to the 'id' parameter in show_bug.cgi (when 'format' is set to an invalid format) is not properly sanitized before being returned to the user. - An error related to running a query in debug mode can be exploited to disclose if certain field values exists.

Affected

Bugzilla version 2.0 to 3.6.12, 3.7.1 to 4.0.9, 4.1.1 to 4.2.4 and 4.3.1 to 4.4rc1

References

http://secunia.com/advisories/52254
http://www.bugzilla.org/security/3.6.12
http://www.osvdb.org/90397
http://www.osvdb.org/90404
https://bugzilla.mozilla.org/show_bug.cgi?id=824399
https://bugzilla.mozilla.org/show_bug.cgi?id=842038

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-0785
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Subversion Module Metadata Accessible
Apache Solr Directory Traversal Vulnerability Jan-14
Apache Struts2/XWork Remote Command Execution Vulnerability
AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability

Bugzilla Information Disclosure and Cross-Site Scripting Vulnerabilities

Take action and discover your vulnerabilities