CVE-2001-1402

Name of the Vulnerable Software and Affected Versions Bugzilla versions prior to 2.14

Description The issue allows remote attackers to conduct unauthorized activities via cross-site scripting (XSS) and possibly SQL injection attacks. This can occur through various parameters and fields in different CGI scripts, including reports.cgi, showvotes.cgi, createaccount.cgi, showdependencytree.cgi, process bug.cgi, and buglist.cgi. The vulnerable parameters and fields include product and output form variables, voteon, bug id, and user variables, invalid email addresses, invalid IDs, invalid usernames, and other fields, as well as error messages.

Recommendations For Bugzilla versions prior to 2.14, update to version 2.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected CGI scripts until a patch is available. Avoid using untrusted input in the vulnerable parameters and fields, such as product and output form variables, voteon, bug id, and user variables, until the issue is resolved.