FreeBSD : bugzilla -- multiple vulnerabilities (2b841f88-2e8d-11e2-ad21-20cf30e32f6d)

medium Nessus Plugin ID 62956

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

A Bugzilla Security Advisory reports : The following security issues have been discovered in Bugzilla : Information Leak If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential.

Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not).

Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. Cross-Site Scripting Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS.

A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file.

Solution

Update the affected packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=731178

https://bugzilla.mozilla.org/show_bug.cgi?id=781850

https://bugzilla.mozilla.org/show_bug.cgi?id=802204

https://bugzilla.mozilla.org/show_bug.cgi?id=790296

https://bugzilla.mozilla.org/show_bug.cgi?id=808845

https://yuilibrary.com/support/20121030-vulnerability/

http://www.nessus.org/u?fadc481e

Plugin Details

Severity: Medium

ID: 62956

File Name: freebsd_pkg_2b841f882e8d11e2ad2120cf30e32f6d.nasl

Version: 1.8

Type: local

Published: 11/19/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:bugzilla, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 11/14/2012

Vulnerability Publication Date: 11/13/2012

Reference Information

CVE: CVE-2012-4189, CVE-2012-4197, CVE-2012-4198, CVE-2012-4199, CVE-2012-5881, CVE-2012-5882, CVE-2012-5883