CVE-2002-0008

Name of the Vulnerable Software and Affected Versions Bugzilla versions prior to 2.14.1

Description The issue allows remote attackers to spoof a user comment or post a bug as another user. This can be achieved by manipulating the who parameter in an HTTP request to process bug.cgi, bypassing the need for the Bugzilla login cookie. Alternatively, an attacker can modify the reporter parameter in enter bug.cgi, which is then passed to post bug.cgi, to post a bug under a different user's identity.

Recommendations For versions prior to 2.14.1, update to version 2.14.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the process bug.cgi and enter bug.cgi endpoints to minimize the risk of exploitation. Additionally, avoid using the who and reporter parameters in these endpoints until the issue is resolved.