Bugzilla < 4.0.15 / 4.2.11 / 4.4.6 / 4.5.6 Multiple Vulnerabilities

High Nessus Plugin ID 78069


The remote web server contains a web application affected by multiple vulnerabilities.


According to its banner, the version of Bugzilla installed on the remote host contains multiple flaws. It is, therefore, affected by the following vulnerabilities :

- If a new comment is marked as private to the insider group, and a flag is set in the same transaction, the comment will be visible to flag recipients even if they are not in the insider group. (CVE-2014-1571)

- A remote attacker can override certain parameters when creating a new Bugzilla account. This can lead to the account being created with a different email address than originally requested, allowing a user to be added to certain groups based on the group's regular expression setting. This may allow an attacker to escalate a given user accounts privileges.

- A flaw existed in how CGI arguments were handled that could allow cross-site scripting exploits which an attacker could use to access sensitive information.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


Upgrade to Bugzilla 4.0.15 / 4.2.11 / 4.4.6 / 4.5.6 or later.

See Also




Plugin Details

Severity: High

ID: 78069

File Name: bugzilla_4_4_6.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 2014/10/06

Updated: 2018/11/15

Dependencies: 11462

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Required KB Items: installed_sw/Bugzilla, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/10/06

Vulnerability Publication Date: 2014/10/06

Reference Information

CVE: CVE-2014-1571, CVE-2014-1572, CVE-2014-1573

BID: 70256, 70257, 70258

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990