FreeBSD : bugzilla Cross-Site Request Forgery (7f448dc1-82ca-11e1-b393-20cf30e32f6d)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

A Bugzilla Security Advisory reports :

The following security issues have been discovered in Bugzilla :

- Due to a lack of validation of the enctype form attribute when
making POST requests to xmlrpc.cgi, a possible CSRF vulnerability was
discovered. If a user visits an HTML page with some malicious HTML
code in it, an attacker could make changes to a remote Bugzilla
installation on behalf of the victim's account by using the XML-RPC
API on a site running mod_perl. Sites running under mod_cgi are not
affected. Also, the user would have had to be already logged in to the
target site for the vulnerability to work.

All affected installations are encouraged to upgrade as soon as
possible.

See also :

https://bugzilla.mozilla.org/show_bug.cgi?id=725663
http://www.nessus.org/u?e5c24893

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 58647 ()

Bugtraq ID:

CVE ID: CVE-2012-0453

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now