Summary
The host is running Bugzilla and is prone to information disclosure and cross site scripting vulnerabilities.
Impact
Successful exploitation will allow remote attackers to gain sensitive information and execute arbitrary HTML and script code in a users browser session in context of an affected site.
Impact Level: Application
Solution
Upgrade to Bugzilla 3.6.13, 4.0.10, 4.2.5, 4.4rc2 or later, For updates refer to http://www.bugzilla.org/download/
Insight
- Input passed to the 'id' parameter in show_bug.cgi (when 'format' is set to an invalid format) is not properly sanitized before being returned to the user.
- An error related to running a query in debug mode can be exploited to disclose if certain field values exists.
Affected
Bugzilla version 2.0 to 3.6.12, 3.7.1 to 4.0.9, 4.1.1 to 4.2.4 and 4.3.1 to 4.4rc1
References
Severity
Classification
-
CVE CVE-2013-0785 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- 2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
- @Mail WebMail Email Body HTML Injection Vulnerability
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Apache Continuum Cross Site Scripting Vulnerability