FreeBSD : bugzilla -- multiple vulnerabilities (2b841f88-2e8d-11e2-ad21-20cf30e32f6d)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

A Bugzilla Security Advisory reports : The following security issues
have been discovered in Bugzilla : Information Leak If the visibility
of a custom field is controlled by a product or a component of a
product you cannot see, their names are disclosed in the JavaScript
code generated for this custom field despite they should remain
confidential.

Calling the User.get method with a 'groups' argument leaks the
existence of the groups depending on whether an error is thrown or
not. This method now also throws an error if the user calling this
method does not belong to these groups (independently of whether the
groups exist or not).

Trying to mark an attachment in a bug you cannot see as obsolete
discloses its description in the error message. The description of the
attachment is now removed from the error message. Cross-Site Scripting
Due to incorrectly filtered field values in tabular reports, it is
possible to inject code leading to XSS.

A vulnerability in swfstore.swf from YUI2 allows JavaScript injection
exploits to be created against domains that host this affected YUI
.swf file.

See also :

https://bugzilla.mozilla.org/show_bug.cgi?id=731178
https://bugzilla.mozilla.org/show_bug.cgi?id=781850
https://bugzilla.mozilla.org/show_bug.cgi?id=802204
https://bugzilla.mozilla.org/show_bug.cgi?id=790296
https://bugzilla.mozilla.org/show_bug.cgi?id=808845
http://yuilibrary.com/support/20121030-vulnerability/
http://www.nessus.org/u?7d39719a

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 62956 ()

Bugtraq ID:

CVE ID: CVE-2012-4189
CVE-2012-4197
CVE-2012-4198
CVE-2012-4199
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now