Bugzilla < 4.0.16 / 4.1.1 < 4.2.12 / 4.3 < 4.4.7 / 4.5 < 4.5.6 Command Injection

Medium Nessus Network Monitor Plugin ID 8913


The remote host is running a version of Bugzilla which is affected by a command injection vulnerability.


The remote host is running Bugzilla, a bug tracking software with a web interface. All versions of Bugzilla prior to 4.0.16, 4.1.1 prior to 4.2.11, 4.3.1 prior to 4.4.6, and 4.5.1 prior to 4.5.6 are susceptible to a command injection vulnerability. This vulnerability exists due to a flaw which fails to properly utilize the three arguments form of the Perl 'open()' function. An attacker can exploit this issue by injecting commands into product names and other attributes. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in the context of the affected application.
Note : To exploit this issue an attacker must have an account with 'editcomponents' permission.


Upgrade to versions 4.0.16, 4.2.12, 4.4.7, 5.0rc1, or later.

See Also




Plugin Details

Severity: Medium

ID: 8913

Family: CGI

Published: 2015/02/20

Modified: 2016/02/05

Dependencies: 1442

Risk Information

Risk Factor: Medium


Base Score: 6

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Base Score: 5

Temporal Score: 4.6


Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Patch Publication Date: 2015/01/21

Vulnerability Publication Date: 2015/01/21

Reference Information

CVE: CVE-2014-8630

BID: 72525