Release date:
Updated on:
Affected Systems:
Bugzilla 4.x
Bugzilla 3.x
Bugzilla 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58060
CVE (CAN) ID: CVE-2013-0785, CVE-2013-0786
Bugzilla is an open-source defect tracking system that manages the entire lifecycle of defects in software development, such as submitting, repairing, and disabling defects.
A security vulnerability exists in the implementation of Bugzilla, which can be exploited by malicious users to leak sensitive information and perform cross-site scripting attacks.
1. The "id" parameter of show_bug.cgi is not properly filtered. This vulnerability affects 2.0-3.6.12, 3.7.1-4.0.9, 4.1.1-4.2.4.
2. An error occurred while running the query in debug mode, which may expose sensitive information. This vulnerability affects 2.17.1-3.6.12, 3.7.1-4.0.9
<* Source: SimranJeet Singh
Link: https://bugzilla.mozilla.org/show_bug.cgi? Id = 842038
Http://secunia.com/advisories/52254/
Http://www.bugzilla.org/security/3.6.12/
Https://bugzilla.mozilla.org/show_bug.cgi? Id = 824399
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Bugzilla
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.bugzilla.org/security/