CVE-2014-1546

Name of the Vulnerable Software and Affected Versions Bugzilla versions 3.x through 4.0.13 Bugzilla versions 4.1.x through 4.2.9 Bugzilla versions 4.3.x through 4.4.4 Bugzilla versions 4.5.x through 4.5.4

Description The issue allows remote attackers to conduct cross-site request forgery (CSRF) attacks and obtain sensitive information. This is achieved via a crafted OBJECT element with SWF content consistent with the bz callback character set, exploiting the JSONP endpoint in jsonrpc.cgi. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For Bugzilla versions 3.x through 4.0.13, update to version 4.0.14 or later. For Bugzilla versions 4.1.x through 4.2.9, update to version 4.2.10 or later. For Bugzilla versions 4.3.x through 4.4.4, update to version 4.4.5 or later. For Bugzilla versions 4.5.x through 4.5.4, update to version 4.5.5 or later.