CVE-2015-4499

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.x through 4.2.14 Bugzilla versions 4.3.x through 4.3.x before 4.4.10 Bugzilla versions 4.4.x through 4.4.9 Bugzilla versions 5.x through 5.0.0

Description The issue mishandles long e-mail addresses during account registration, allowing remote attackers to obtain default privileges for an arbitrary domain name by placing that name in a substring of an address. This can be demonstrated by the truncation of an @mozilla.com.example.com address to an @mozilla.com address.

Recommendations For Bugzilla versions 2.x through 4.2.14, update to version 4.2.15 or later. For Bugzilla versions 4.3.x through 4.3.x before 4.4.10, update to version 4.4.10 or later. For Bugzilla versions 4.4.x through 4.4.9, update to version 4.4.10 or later. For Bugzilla versions 5.x through 5.0.0, update to version 5.0.1 or later.