PT-2012-5241 · Mozilla · Bugzilla
Frédéric Buclin
·
Published
2012-11-16
·
Updated
2017-08-29
·
CVE-2012-4197
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Bugzilla versions 2.x through 3.x before 3.6.12
Bugzilla versions 3.7.x
Bugzilla versions 4.0.x before 4.0.9
Bugzilla versions 4.1.x
Bugzilla versions 4.2.x before 4.2.4
Bugzilla versions 4.3.x and 4.4.x before 4.4rc1
Description
The issue allows remote attackers to read attachment descriptions from private bugs. This is achieved via an obsolete=1 insert action in the attachment.cgi script.
Recommendations
For versions 2.x through 3.x before 3.6.12, update to version 3.6.12 or later.
For versions 3.7.x, update to a version after 3.7.x.
For versions 4.0.x before 4.0.9, update to version 4.0.9 or later.
For versions 4.1.x, update to a version after 4.1.x.
For versions 4.2.x before 4.2.4, update to version 4.2.4 or later.
For versions 4.3.x and 4.4.x before 4.4rc1, update to version 4.4rc1 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugzilla