Bugzilla < 2.14.2 / 2.16rc2 / 2.17 Multiple Vulnerabilities (SQLi, XSS, ID, Cmd Exe)

high Nessus Plugin ID 11463

Language:

Synopsis

The remote bug tracker has multiple vulnerabilities.

Description

According to its version number, the remote Bugzilla bug tracking system is vulnerable to various flaws, including SQL injection, cross-site scripting, and arbitrary command execution.

Solution

Upgrade to Bugzilla version 2.14.5 / 2.16.rc2 / 2.17.3 or later.

See Also

https://www.bugzilla.org/security/2.14.2/

https://www.bugzilla.org/security/2.16/

https://www.bugzilla.org/security/2.16.1/

https://www.bugzilla.org/security/2.16.1-nr/

Plugin Details

Severity: High

ID: 11463

File Name: bugzilla_vulns.nasl

Version: 1.30

Type: remote

Family: CGI abuses

Published: 3/24/2003

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Required KB Items: installed_sw/Bugzilla, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 10/30/2001

Reference Information

CVE: CVE-2002-0803, CVE-2002-0804, CVE-2002-0805, CVE-2002-0806, CVE-2002-0807, CVE-2002-0808, CVE-2002-0809, CVE-2002-0810, CVE-2002-0811, CVE-2002-1196, CVE-2002-1197, CVE-2002-1198, CVE-2002-2260, CVE-2003-0012, CVE-2003-0013

BID: 4964, 5842, 5843, 5844, 6257, 6501, 6502

CWE: 79