Bugzilla 2.0 < 4.0.12 / 4.2.8 / 4.4.3 / 4.5.3 Character Spoofing
Medium Nessus Plugin ID 74106
SynopsisThe remote web server contains a web application that suffers from a character spoofing vulnerability.
DescriptionAccording to its banner, the version of Bugzilla installed on the remote host is after version 2.0 but prior to 4.0.12, 4.1.1 prior to 4.2.8, 4.3.1 prior to 4.4.3, or 4.5.1 prior to 4.5.3. It is, therefore, affected by a character spoofing vulnerability.
The vulnerability exists in the bug comment feature when handling control characters. This could allow a remote attacker to inject arbitrary commands if copied to a terminal.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Bugzilla 4.0.12 / 4.2.8 / 4.4.3 / 4.5.3 or later.