The host is running Bugzilla and is prone to code injection and security bypass vulnerabilities.

Successful exploitation will allow remote attackers to gain sensitive information and bypass security restriction on the affected site. Impact Level: Application

Upgrade to Bugzilla version 4.0.8, 4.2.3, 4.3.3 or higher For updates refer to http://www.bugzilla.org/download/

The flaws are due to - When the user logs in using LDAP, the username is not escaped when building the uid=$username filter which is used to query the LDAP directory. This could potentially lead to LDAP injection. - Extensions are not protected against directory browsing and users can access the source code of the templates which may contain sensitive data.

Bugzilla 2.x and 3.x to 3.6.11, 3.7.x and 4.0.x to 4.0.7, 4.1.x and 4.2.x to 4.2.2, and 4.3.x to 4.3.2

• http://www.bugzilla.org/security/3.6.10/
• https://bugzilla.mozilla.org/show_bug.cgi?id=785470
• https://bugzilla.mozilla.org/show_bug.cgi?id=785511
• https://bugzilla.mozilla.org/show_bug.cgi?id=785522

---

Updated on 2015-03-25