| VID |
210128 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Bugzilla bug-tracking system, according to its version number, has two information disclosure vulnerabilities(2). Bugzilla is a Web-based bug-tracking system, based on Perl and MySQL. Bugzilla versions 2.17.5 through 3.6.9 and 3.7.1 through 4.0.6 and 4.1.1 through 4.2.1 and 4.3.1 are vulnerable to two information disclosure vulnerabilities as follows:
- An error due to the application not properly validating permissions of the addressee can be exploited to disclose summaries of otherwise restricted bugs via HTML bugmails.
- An error due to the application not properly validating permissions can be exploited to view descriptions of private attachments via public bug comments.
* Note: This check solely relied on the version number of Bugzilla installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.bugzilla.org/security/3.6.9/
http://www.securityfocus.com/archive/1/523677
* Platforms Affected:
Mozilla, Bugzilla 2.17.5 though to 3.6.9
Mozilla, Bugzilla 3.7.1 though to 4.0.6
Mozilla, Bugzilla 4.1.1 though to 4.2.1 and 4.3.1
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Bugzilla (3.6.10 or 4.0.7 or 4.2.2 or 4.3.2 or later), available from the Bugzilla Download Web site at http://www.bugzilla.org/download/ |
| Related URL |
CVE-2012-1968,CVE-2012-1969 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
