PT-2005-2543 · Mozilla · Bugzilla

Frédéric Buclin

Published

2005-05-12

Updated

2017-07-11

CVE-2005-1564

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.10 through 2.18 Bugzilla version 2.19.1 Bugzilla version 2.19.2

Description The issue allows remote authenticated users to enter bugs into products that are closed for bug entry by modifying the URL to specify the name of the product. This is possible due to a flaw in the post bug.cgi script.

Recommendations For Bugzilla versions 2.10 through 2.18, update the post bug.cgi script to properly validate product permissions. For Bugzilla version 2.19.1, restrict access to the post bug.cgi script until a proper fix is applied. For Bugzilla version 2.19.2, consider disabling the post bug.cgi script temporarily to prevent unauthorized bug entry.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-1564

Affected Products

Bugzilla

PT-2005-2543 · Mozilla · Bugzilla

CVE-2005-1564

Related Identifiers

Affected Products

References · 8