CVE-2012-1969

medium

Description

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=777586

http://www.mandriva.com/security/advisories?name=MDVSA-2013:066

http://www.bugzilla.org/security/3.6.9/

http://secunia.com/advisories/50040

Details

Source: Mitre, NVD

Published: 2012-07-30

Updated: 2013-12-13

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium