PT-2012-1731 · Mozilla · Bugzilla
Frédéric Buclin
·
Published
2012-01-02
·
Updated
2017-08-29
·
CVE-2011-3667
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Bugzilla versions 2.x through 3.4.12
Bugzilla versions 3.5.x through 3.6.6
Bugzilla versions 3.7.x through 4.0.2
Bugzilla versions 4.1.x through 4.1.3
Description
The issue arises from the User.offer account by email WebService method, which does not properly handle user can create account settings when createemailregexp is not empty. This allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.
Recommendations
For Bugzilla versions 2.x through 3.4.12, update to version 3.4.13 or later.
For Bugzilla versions 3.5.x through 3.6.6, update to version 3.6.7 or later.
For Bugzilla versions 3.7.x through 4.0.2, update to version 4.0.3 or later.
For Bugzilla versions 4.1.x through 4.1.3, update to a version later than 4.1.3.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugzilla