Bugzilla < 3.0.11 / 3.2.6 / 3.4.5 / 3.5.3 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 5331


The remote web server is hosting an application that is vulnerable to multiple attack vectors.


The remote web server is hosting a version of Bugzilla that is earlier than 3.0.11, 3.2.6, 3.4.5, or 3.5.3. Such versions are potentially affected by multiple vulnerabilities :

- Bugzilla allows web browsers to serve the contents of files in the 'CVS/', 'contrib/', 'docs/en/xml', and 't/' directories as well as the 'old-params.txt' file.

- When moving a bug from one product to another, an intermediate web page is displayed letting you select the groups the bug should be restricted to in the new product. Because of a regression in Bugzilla 3.4.x involving groups, a private bug could temporarily become a public.


Upgrade to Bugzilla 3.0.11, 3.2.6, 3.4.5, 3.5.3, or later.

See Also


Plugin Details

Severity: Medium

ID: 5331

Family: CGI

Published: 2010/02/01

Modified: 2016/01/21

Dependencies: 1442

Nessus ID: 44426

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Base Score: 5.3

Temporal Score: 4.9


Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2010/01/31

Vulnerability Publication Date: 2010/02/01

Reference Information

CVE: CVE-2009-3387, CVE-2009-3989

BID: 38025, 38026