Bugzilla show_bug.cgi id Parameter XSS
Medium Nessus Plugin ID 64877
SynopsisThe remote web server contains a CGI application that if affected by a cross-site scripting vulnerability.
DescriptionThe version of Bugzilla installed on the remote host is affected by a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the 'id' parameter of the 'show_bug.cgi' script. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.
Note that the install is also likely to be affected by an information disclosure vulnerability; however, Nessus has not tested for this.
SolutionUpgrade to Bugzilla 3.6.13 / 4.0.10 / 4.2.5 / 4.4rc2 or later.