| VID |
210137 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Bugzilla bug-tracking system, according to its version number, has an Internal Error Cross-Site Scripting Vulnerability. Bugzilla is a Web-based bug-tracking system, based on Perl and MySQL. Bugzilla versions earlier than 3.6.13 / 4.0.10 / 4.2.5 / 4.4rc2 are affected by a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the 'id' parameter of the 'show_bug.cgi' script. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.
* Note: This check solely relied on the version number of Bugzilla installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
https://bugzilla.mozilla.org/show_bug.cgi?id=842038
http://www.bugzilla.org/security/3.6.12/
* Platforms Affected:
Mozilla Project, Bugzilla versions prior to 3.6.13 / 4.0.10 / 4.2.5 / 4.4rc2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Bugzilla (3.6.13 / 4.0.10 / 4.2.5 / 4.4rc2 or later), available from the Bugzilla Download Web site at http://www.bugzilla.org/download/
-- OR --
Apply the appropriate patch for this vulnerability, as listed in the Bugzilla Bug #842038 at https://bugzilla.mozilla.org/show_bug.cgi?id=842038 |
| Related URL |
CVE-2013-0785 (CVE) |
| Related URL |
58060 (SecurityFocus) |
| Related URL |
(ISS) |
|
