CVE-2011-3667

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.x through 3.4.12 Bugzilla versions 3.5.x through 3.6.6 Bugzilla versions 3.7.x through 4.0.2 Bugzilla versions 4.1.x through 4.1.3

Description The issue arises from the User.offer account by email WebService method, which does not properly handle user can create account settings when createemailregexp is not empty. This allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.

Recommendations For Bugzilla versions 2.x through 3.4.12, update to version 3.4.13 or later. For Bugzilla versions 3.5.x through 3.6.6, update to version 3.6.7 or later. For Bugzilla versions 3.7.x through 4.0.2, update to version 4.0.3 or later. For Bugzilla versions 4.1.x through 4.1.3, update to a version later than 4.1.3.