Casey Klein

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.9 through 2.18rc2 Bugzilla version 2.19 from CVS **Description** The issue allows remote authenticated users to modify the keywords in a bug. This is due to the `process bug.cgi` script not checking edit permissions on the keywords field. The modification can be done via the `keywordaction` parameter. **Recommendations** For Bugzilla versions 2.9 through 2.18rc2, restrict access to the `process bug.cgi` script until a fix is available. For Bugzilla version 2.19 from CVS, avoid using the `keywordaction` parameter in the `process bug.cgi` script until the issue is resolved.