You are here

V-025: Bugzilla Multiple Cross Site Scripting and Information Disclosure Vulnerabilities

November 15, 2012 - 6:00am

Addthis

PROBLEM:

Bugzilla Multiple Cross Site Scripting and Information Disclosure Vulnerabilities

PLATFORM:

Mozilla Bugzilla

ABSTRACT:

Bugzilla Multiple Vulnerabilities

REFERENCE LINKS:

Bugzilla Security Advisory
Secunia Advisory SA51265
Bugtraq ID:  56504 
CVE-2012-4189
CVE-2012-4197
CVE-2012-4198
CVE-2012-4199
CVE-2012-5475

IMPACT ASSESSMENT:

Medium

DISCUSSION:

A security issue and multiple vulnerabilities have been reported in Bugzilla, which can be exploited by malicious people to disclose potentially sensitive information and conduct cross-site scripting and script insertion attacks.

1) An error exists when the visibility of custom fields are controlled by a restricted product or a product component. This can be exploited to disclose the name of the custom fields via the JavaScript source code.

2) An error due to the User.get() method returning different responses can be exploited to disclose the existence of groups.

3) Certain unspecified input when creating tabular reports is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

4) An error when marking an attachment as obsolete in a restricted bug can be exploited to disclose the description of the attachment via an error message.

5) The application bundles a vulnerable version of swfstore.swf.

IMPACT:

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, and to obtain sensitive information.

SOLUTION:

Update to version 3.6.12, 4.0.9, or 4.2.4 or apply patches.

Addthis