Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Bugzilla < 3.2.9 / 3.4.9 / 3.6.3 Multiple Vulnerabilities

High

Synopsis

The remote web server is hosting an application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting Bugzilla, a web-based bug tracking application.

Versions of Bugzilla 3.2.x earlier than 3.2.9, 3.4.x earlier than 3.4.9, and 3.6.x earlier than 3.6.3 are potentially affected by multiple vulnerabilities :

- By inserting a certain string into a URL, it is possible to inject both headers and content to any browser that supports "Server Push". (CVE-2010-3172)

- The Charts system generates graphs with predictable names into the 'graphs/' directory, which can also be browsed to see its contents. (CVE-2010-3764)

- YUI 2.8.1 is vulnerable to a cross-site scripting vulnerability in certain .swf files.

Solution

Upgrade to Bugzilla 3.2.9, 3.4.9, 3.6.3 or later.