diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index bb77842c9961..6d16688f8fab 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -57,6 +57,55 @@ Notes: --> + + Bugzilla multiple security issues + + + bugzilla44 + 4.4.6 + + + + +

Bugzilla Security Advisory

+
+
Unauthorized Account Creation
+

An attacker creating a new Bugzilla account can override certain + parameters when finalizing the account creation that can lead to the + user being created with a different email address than originally + requested. The overridden login name could be automatically added + to groups based on the group's regular expression setting.

+
Cross-Site Scripting
+

During an audit of the Bugzilla code base, several places + were found where cross-site scripting exploits could occur which + could allow an attacker to access sensitive information.

+
Information Leak
+

If a new comment was marked private to the insider group, and a flag + was set in the same transaction, the comment would be visible to + flag recipients even if they were not in the insider group.

+
Social Engineering
+

Search results can be exported as a CSV file which can then be + imported into external spreadsheet programs. Specially formatted + field values can be interpreted as formulas which can be executed + and used to attack a user's computer.

+
+ + + + CVE-2014-1572 + CVE-2014-1573 + CVE-2014-1571 + https://bugzilla.mozilla.org/show_bug.cgi?id=1074812 + https://bugzilla.mozilla.org/show_bug.cgi?id=1075578 + https://bugzilla.mozilla.org/show_bug.cgi?id=1064140 + https://bugzilla.mozilla.org/show_bug.cgi?id=1054702 + + + 2014-10-06 + 2014-10-06 + + + rt42 -- vulnerabilities related to shellshock