Summary
The remote host is missing an update to the system as announced in the referenced advisory.
Solution
Update your system with the appropriate patches or software upgrades.
https://bugzilla.mozilla.org/show_bug.cgi?id=697699 https://bugzilla.mozilla.org/show_bug.cgi?id=711714 https://bugzilla.mozilla.org/show_bug.cgi?id=703975 https://bugzilla.mozilla.org/show_bug.cgi?id=703983 http://www.vuxml.org/freebsd/0c7a3ee2-3654-11e1-b404-20cf30e32f6d.html
Insight
The following package is affected: bugzilla
CVE-2011-3657
Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13
3.5.x and 3.6.x before 3.6.7
3.7.x and 4.0.x
before 4.0.3
and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart.
CVE-2011-3667
The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13
3.5.x and 3.6.x before 3.6.7
3.7.x and 4.0.x
before 4.0.3
and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.
CVE-2011-3668
Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports.
CVE-2011-3669
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments.
Severity
Classification
-
CVE CVE-2011-3657, CVE-2011-3667, CVE-2011-3668, CVE-2011-3669 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities