Bugzilla URL Password Information Disclosure Vulnerability Network Vulnerability

Summary

This host is running Bugzilla and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow attackers to read sensitive information via the HTTP 'Referrer' header. Impact Level: Application

Solution

Upgrade to Bugzilla version 3.4.2 or later. For updates refer to http://www.bugzilla.org/download/

Insight

The flaw is caused because the application places a password in a 'URL' at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords.

Affected

Bugzilla version 3.4rc1 to 3.4.1.

References

http://secunia.com/advisories/36718
http://securitytracker.com/alerts/2009/Sep/1022902.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3166

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
7Media Web Solutions EduTrac Directory Traversal Vulnerability
Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability
1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability

Take action and discover your vulnerabilities