CVE-2015-8509

low

Description

Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code.

References

https://www.bugzilla.org/security/4.2.15/

http://www.securitytracker.com/id/1034556

http://www.securityfocus.com/bid/79662

http://seclists.org/bugtraq/2015/Dec/131

http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html

Details

Source: Mitre, NVD

Published: 2016-01-03

Updated: 2016-12-07

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 3.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Severity: Low