CVE-2011-2978

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.16rc1 through 2.22.7 Bugzilla versions 3.0.x through 3.3.x Bugzilla versions 3.4.x before 3.4.12 Bugzilla version 3.5.x Bugzilla versions 3.6.x before 3.6.6 Bugzilla version 3.7.x Bugzilla versions 4.0.x before 4.0.2 Bugzilla versions 4.1.x before 4.1.3

Description The issue allows remote attackers to perform arbitrary address changes by leveraging an unattended workstation, as it does not prevent changes to the confirmation e-mail address, also known as the old email field, for e-mail change notifications.

Recommendations For Bugzilla versions 2.16rc1 through 2.22.7, update to a version outside of this range to prevent arbitrary address changes. For Bugzilla versions 3.0.x through 3.3.x, update to a version outside of this range to prevent arbitrary address changes. For Bugzilla versions 3.4.x before 3.4.12, update to version 3.4.12 or later to prevent arbitrary address changes. For Bugzilla version 3.5.x, update to a version outside of this range to prevent arbitrary address changes. For Bugzilla versions 3.6.x before 3.6.6, update to version 3.6.6 or later to prevent arbitrary address changes. For Bugzilla version 3.7.x, update to a version outside of this range to prevent arbitrary address changes. For Bugzilla versions 4.0.x before 4.0.2, update to version 4.0.2 or later to prevent arbitrary address changes. For Bugzilla versions 4.1.x before 4.1.3, update to version 4.1.3 or later to prevent arbitrary address changes.