Bugzilla < 2.16.3 / 2.17.4 Multiple Vulnerabilities (XSS, Symlink)

medium Nessus Plugin ID 11553

Language:

Synopsis

The remote web server contains a CGI application that is affected by several issues.

Description

The remote Bugzilla bug tracking system, according to its version number, contains various flaws that may let an attacker perform cross- site scripting attacks or even delete local files (provided he has an account on the remote host).

Solution

Upgrade to 2.16.3 / 2.17.4 or later.

Plugin Details

Severity: Medium

ID: 11553

File Name: bugzilla_xss_and_tmp_files.nasl

Version: 1.31

Type: remote

Family: CGI abuses

Published: 4/26/2003

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Required KB Items: Settings/ParanoidReport, installed_sw/Bugzilla

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/11/2003

Reference Information

CVE: CVE-2003-0602, CVE-2003-0603

BID: 6861, 6868, 7412

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990