CVE-2009-3166

2009-09-1522:30:00

CWE-255

mitre

web.nvd.nist.gov

cve-2009-3166

bugzilla 3.4rc1

bugzilla 3.4.1

password exposure

web-server access logs

web-server referer logs

browser history

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

6.2

Confidence

Low

EPSS

0.003

Percentile

70.9%

JSON

token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.

Affected configurations

Nvd

Node

mozillabugzillaMatch3.4

mozillabugzillaMatch3.4rc1

mozillabugzillaMatch3.4.1

VendorProductVersionCPE
mozillabugzilla3.4cpe:2.3:a:mozilla:bugzilla:3.4:*:*:*:*:*:*:*
mozillabugzilla3.4cpe:2.3:a:mozilla:bugzilla:3.4:rc1:*:*:*:*:*:*
mozillabugzilla3.4.1cpe:2.3:a:mozilla:bugzilla:3.4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	bugzilla	3.4	cpe:2.3:a:mozilla:bugzilla:3.4:::::::*
mozilla	bugzilla	3.4	cpe:2.3:a:mozilla:bugzilla:3.4:rc1::::::
mozilla	bugzilla	3.4.1	cpe:2.3:a:mozilla:bugzilla:3.4.1:::::::*