FreeBSD : bugzilla -- two SQL injections, sensitive data exposure (b9ec7fe3-a38a-11de-9c6b-003048818f40)

High Nessus Plugin ID 41007


The remote FreeBSD host is missing a security-related update.


A Bugzilla Security Advisory reports :

- It is possible to inject raw SQL into the Bugzilla database via the 'Bug.create' and '' WebService functions.

- When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 41007

File Name: freebsd_pkg_b9ec7fe3a38a11de9c6b003048818f40.nasl

Version: $Revision: 1.8 $

Type: local

Published: 2009/09/18

Modified: 2016/12/08

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:bugzilla, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2009/09/17

Vulnerability Publication Date: 2009/09/11

Reference Information

CVE: CVE-2009-3125, CVE-2009-3165, CVE-2009-3166

CWE: 89, 255