Bugzilla LDAP Injection and Information Disclosure Vulnerabilities
Bugzilla is prone to an LDAP-injection vulnerability and an information-disclosure vulnerability
A vulnerability and a security issue have been reported, which can be exploited by malicious people to disclose potentially sensitive information and manipulate certain data.
1) Input passed via the username is not properly escaped before being used in a LDAP query and can be exploited to inject LDAP statements.
2) A security issue due to the application not restricting directory browsing access to extensions can be exploited to disclose the source code of templates.
Exploiting these issues could allow an attacker to obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The vendor has issued a fix. Update to version 3.6.11, 4.0.8, 4.2.3, or 4.3.3.