Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Bugzilla < 3.2.10 / 3.4.10 / 3.6.4 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is hosting an application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting Bugzilla, a web-based bug tracking application.

Versions of Bugzilla 3.2.x earlier than 3.2.10, 3.4.x earlier than 3.4.10, and 3.6.x earlier than 3.6.4 are potentially affected by multiple vulnerabilities :

- A weakness could allow a user to gain unauthorized access to another Bugzilla account.

- A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages.

- It is possible to insert harmful 'javascript:' or 'data:' URLs into Bugzilla's 'URL' field which in some cases Buzilla will make clickable.

- Various pages lack protection against cross-site request forgeries.

Solution

Upgrade to Bugzilla 3.2.10, 3.4.10, 3.6.4 or later.