bugzilla -- multiple vulnerabilities

2007-08-2300:00:00

vuxml.freebsd.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.069

Percentile

94.0%

JSON

A Bugzilla Security Advisory reports:

This advisory covers three security issues that have recently been
fixed in the Bugzilla code:

A possible cross-site scripting (XSS) vulnerability when filing
bugs using the guided form.
When using email_in.pl, insufficiently escaped data may be
passed to sendmail.
Users using the WebService interface may access Bugzilla’s
time-tracking fields even if they normally cannot see them.

We strongly advise that 2.20.x and 2.22.x users should upgrade to
2.20.5 and 2.22.3 respectively. 3.0 users, and users of 2.18.x or
below, should upgrade to 3.0.1.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchbugzilla= 2.20.*UNKNOWN
FreeBSDanynoarchbugzilla< 2.22.3UNKNOWN
FreeBSDanynoarchja-bugzilla= 2.20.*UNKNOWN
FreeBSDanynoarchja-bugzilla< 2.22.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	bugzilla	= 2.20.*	UNKNOWN
FreeBSD	any	noarch	bugzilla	< 2.22.3	UNKNOWN
FreeBSD	any	noarch	ja-bugzilla	= 2.20.*	UNKNOWN
FreeBSD	any	noarch	ja-bugzilla	< 2.22.3	UNKNOWN