Bugzilla 'id' Parameter Cross-site scripting and Information Leakage Vulnerability

Release date:
Updated on:

Affected Systems:
Bugzilla 4.x
Bugzilla 3.x
Bugzilla 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58060
CVE (CAN) ID: CVE-2013-0785, CVE-2013-0786
 
Bugzilla is an open-source defect tracking system that manages the entire lifecycle of defects in software development, such as submitting, repairing, and disabling defects.
 
A security vulnerability exists in the implementation of Bugzilla, which can be exploited by malicious users to leak sensitive information and perform cross-site scripting attacks.
 
1. The "id" parameter of show_bug.cgi is not properly filtered. This vulnerability affects 2.0-3.6.12, 3.7.1-4.0.9, 4.1.1-4.2.4.
 
2. An error occurred while running the query in debug mode, which may expose sensitive information. This vulnerability affects 2.17.1-3.6.12, 3.7.1-4.0.9
 
<* Source: SimranJeet Singh

Link: https://bugzilla.mozilla.org/show_bug.cgi? Id = 842038
Http://secunia.com/advisories/52254/
Http://www.bugzilla.org/security/3.6.12/
Https://bugzilla.mozilla.org/show_bug.cgi? Id = 824399
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Bugzilla
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.bugzilla.org/security/