CVE-2005-2173

Name of the Vulnerable Software and Affected Versions: Bugzilla versions 2.17.1 through 2.18.1 Bugzilla versions 2.19.1 through 2.19.3

Description: The issue concerns the Flag::validate and Flag::modify functions, which fail to verify that the flag ID is appropriate for the given bug or attachment ID. This allows users to change flags on arbitrary bugs and obtain a bug summary via the "process bug.cgi" endpoint.

Recommendations: For Bugzilla versions 2.17.1 through 2.18.1, update to a version that includes the fix for this issue. For Bugzilla versions 2.19.1 through 2.19.3, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Flag::validate and Flag::modify functions until a patch is available.