PT-2005-3103 · Mozilla · Bugzilla

Frédéric Buclin

Published

2005-07-08

Updated

2008-09-05

CVE-2005-2173

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions: Bugzilla versions 2.17.1 through 2.18.1 Bugzilla versions 2.19.1 through 2.19.3

Description: The issue concerns the Flag::validate and Flag::modify functions, which fail to verify that the flag ID is appropriate for the given bug or attachment ID. This allows users to change flags on arbitrary bugs and obtain a bug summary via the "process bug.cgi" endpoint.

Recommendations: For Bugzilla versions 2.17.1 through 2.18.1, update to a version that includes the fix for this issue. For Bugzilla versions 2.19.1 through 2.19.3, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Flag::validate and Flag::modify functions until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-2173

Affected Products

Bugzilla

PT-2005-3103 · Mozilla · Bugzilla

CVE-2005-2173

Related Identifiers

Affected Products

References · 5