| VID |
210146 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Bugzilla bug-tracking system, according to its version number, has a character spoofing. Bugzilla is a Web-based bug-tracking system, based on Perl and MySQL. Bugzilla versions 2.0 but prior to 4.0.12, 4.1.1 prior to 4.2.8, 4.3.1 prior to 4.4.3, or 4.5.1 prior to 4.5.3 are affected by a character spoofing vulnerability.
The vulnerability exists in the bug comment feature when handling control characters. This could allow a remote attacker to inject arbitrary commands if copied to a terminal.
* Note: This check solely relied on the version number of Bugzilla installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.bugzilla.org/security/4.0.11/
https://bugzilla.mozilla.org/show_bug.cgi?id=968576
* Platforms Affected:
Mozilla, Bugzilla from 2.0 but prior to 4.0.12
Mozilla, Bugzilla from 4.1.1 prior to 4.2.8
Mozilla, Bugzilla from 4.3.1 prior to 4.4.3
Mozilla, Bugzilla from 4.5.1 prior to 4.5.3
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Bugzilla (4.0.12 / 4.2.8 / 4.4.3 / 4.5.3 or later), available from the Bugzilla Download Web site at http://www.bugzilla.org/download/ |
| Related URL |
(CVE) |
| Related URL |
66970 (SecurityFocus) |
| Related URL |
(ISS) |
|
