| VID |
21242 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Bugzilla bug-tracking system, according to its version number, has the cross-site scripting vulnerability in the default HTML templates.
Bugzilla, developed by Mozilla project, is a open-source/free "bug-tracking" system for reporting bugs and assigning these bugs to the appropriate developers. It's available for Linux, Unix, and Microsoft Operating systems and web and E-mail based. Multiple Cross-Site Scripting vulnerabilities are reported in the default HTML templates for Bugzilla. Bugzilla output shown to end-users is generated via HTML templates. Due to improper filtering for HTML meta-characters in user input by the default HTML templates prior to outputting to end user, a remote attacker can inject script code and HTML by submitting specially formatted data to the server, which will cause the script code and HTML to be executed on the browser of the user who visits a Bugzilla system.
* Note: This check solely relied on the version number of the bugzilla system to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2003-04/0323.html
http://www.secunia.com/advisories/8669/
http://bugzilla.mozilla.org/show_bug.cgi?id=192677
* Platforms Affected:
Bugzilla 2.16.2 and earlier
Bugzilla 2.17.3 and earlier |
| Recommendation |
Upgrade to the fixed versions (2.16.3 or 2.17.4), available from Bugzilla web site: http://www.bugzilla.org/download.html
For users of version from 2.16 to 2.16.2, upgrade to version 2.16.3 using patches from: http://ftp.mozilla.org/pub/webtools/ |
| Related URL |
CVE-2003-0603 (CVE) |
| Related URL |
7412 (SecurityFocus) |
| Related URL |
11867 (ISS) |
|
