Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Bugzilla < 3.0.11 / 3.2.6 / 3.4.5 / 3.5.3 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is hosting an application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting a version of Bugzilla that is earlier than 3.0.11, 3.2.6, 3.4.5, or 3.5.3. Such versions are potentially affected by multiple vulnerabilities :

- Bugzilla allows web browsers to serve the contents of files in the 'CVS/', 'contrib/', 'docs/en/xml', and 't/' directories as well as the 'old-params.txt' file.

- When moving a bug from one product to another, an intermediate web page is displayed letting you select the groups the bug should be restricted to in the new product. Because of a regression in Bugzilla 3.4.x involving groups, a private bug could temporarily become a public.

Solution

Upgrade to Bugzilla 3.0.11, 3.2.6, 3.4.5, 3.5.3, or later.