Summary: | <www-apps/bugzilla-3.6.8 Multiple vulnerabilities (CVE-2011-{3657,3667,3668,3669}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/archive/1/521057/30/0/threaded | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 401809 | ||
Bug Blocks: |
Description
Sean Amoss (RETIRED)
2011-12-29 19:31:06 UTC
GLSA vote: no. GLSA Vote: no too, closing noglsa. CVE-2011-3669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3669): Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments. CVE-2011-3668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3668): Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports. CVE-2011-3667 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3667): The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message. CVE-2011-3657 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3657): Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart. (In reply to comment #3) > CVE-2011-3669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3669): > Cross-site request forgery (CSRF) vulnerability in attachment.cgi in > Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack > the authentication of arbitrary users for requests that upload attachments. > > CVE-2011-3668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3668): > Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla > 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the > authentication of arbitrary users for requests that create bug reports. > Looks like the CSRF issues were assigned these two issues after upstream released the advisories. |