FreeBSD : bugzilla -- Cross-Site Request Forgery (608ed765-c700-11e3-848c-20cf30e32f6d)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

A Bugzilla Security Advisory reports : The login form had no CSRF
protection, meaning that an attacker could force the victim to log in
using the attacker's credentials. If the victim then reports a new
security sensitive bug, the attacker would get immediate access to
this bug.

Due to changes involved in the Bugzilla API, this fix is not
backported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12
and older, and 4.2.8 and older, will remain vulnerable to this issue.

See also :

https://bugzilla.mozilla.org/show_bug.cgi?id=713926
http://www.nessus.org/u?05b01261

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 73632 ()

Bugtraq ID:

CVE ID: CVE-2014-1517

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now