Daniel Piddock

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 3.5.1 through 3.7 **Description** The issue allows local users to read sensitive configuration fields due to world-readable permissions for the localconfig files when use suexec is enabled. This can be demonstrated by accessing the database password field and the site wide secret field. **Recommendations** For Bugzilla versions 3.5.1 through 3.7, consider changing the permissions of the localconfig files to prevent world-readable access when use suexec is enabled. As a temporary workaround, restrict access to the localconfig files to minimize the risk of exploitation.