DSA-2322-1 bugzilla -- severalID: oval:org.secpod.oval:def:600628 | Date: (C)2012-01-30 (M)2022-10-10 |
Class: PATCH | Family: unix |
Several vulnerabilities were discovered in Bugzilla, a web-based bug tracking system. CVE-2010-4572 By inserting particular strings into certain URLs, it was possible to inject both headers and content to any browser. CVE-2010-4567, CVE-2011-0048 Bugzilla has a "URL" field that can contain several types of URL, including "javascript:" and "data:" URLs. However, it does not make "javascript:" and "data:" URLs into clickable links, to protect against cross-site scripting attacks or other attacks. It was possible to bypass this protection by adding spaces into the URL in places that Bugzilla did not expect them. Also, "javascript:" and "data:" links were *always* shown as clickable to logged-out users. CVE-2010-4568 It was possible for a user to gain unauthorized access to any Bugzilla account in a very short amount of time . CVE-2011-0046 Various pages were vulnerable to Cross-Site Request Forgery attacks. Most of these issues are not as serious as previous CSRF vulnerabilities. CVE-2011-2978 When a user changes his email address, Bugzilla trusts a user-modifiable field for obtaining the current e-mail address to send a confirmation message to. If an attacker has access to the session of another user , the attacker could alter this field to cause the email-change notification to go to their own address. This means that the user would not be notified that his account had its email address changed by the attacker. CVE-2011-2381 For flagmails only, attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications when an attachment flag is edited. CVE-2011-2379 Bugzilla uses an alternate host for attachments when viewing them in raw format to prevent cross-site scripting attacks. This alternate host is now also used when viewing patches in "Raw Unified" mode because Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing, which could lead to the execution of malicious code. CVE-2011-2380 CVE-201-2979 Normally, a group name is confidential and is only visible to members of the group, and to non-members if the group is used in bugs. By crafting the URL when creating or editing a bug, it was possible to guess if a group existed or not, even for groups which weren"t used in bugs and so which were supposed to remain confidential.