CVE-2002-0010

Name of the Vulnerable Software and Affected Versions Bugzilla versions prior to 2.14.1

Description The issue allows remote attackers to inject arbitrary SQL code, create files, or gain privileges through various parameters in different CGI scripts. Specifically, the sql parameter in buglist.cgi, invalid field names from the "boolean chart" query in buglist.cgi, the mybugslink parameter in userprefs.cgi, a malformed bug ID in the buglist parameter in long list.cgi, and the value parameter in editusers.cgi are vulnerable. The latter allows groupset privileges to be modified by attackers with blessgroupset privileges.

Recommendations For versions prior to 2.14.1, update to version 2.14.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable CGI scripts, such as buglist.cgi, userprefs.cgi, long list.cgi, and editusers.cgi, until the update is applied. Additionally, limit the use of the vulnerable parameters, such as sql, mybugslink, buglist, and value, to minimize the risk of exploitation.