PT-2015-6605 · Mozilla · Bugzilla
Netanel Rubin
·
Published
2015-09-14
·
Updated
2016-12-22
·
CVE-2015-4499
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Bugzilla versions 2.x through 4.2.14
Bugzilla versions 4.3.x through 4.3.x before 4.4.10
Bugzilla versions 4.4.x through 4.4.9
Bugzilla versions 5.x through 5.0.0
Description
The issue mishandles long e-mail addresses during account registration, allowing remote attackers to obtain default privileges for an arbitrary domain name by placing that name in a substring of an address. This can be demonstrated by the truncation of an @mozilla.com.example.com address to an @mozilla.com address.
Recommendations
For Bugzilla versions 2.x through 4.2.14, update to version 4.2.15 or later.
For Bugzilla versions 4.3.x through 4.3.x before 4.4.10, update to version 4.4.10 or later.
For Bugzilla versions 4.4.x through 4.4.9, update to version 4.4.10 or later.
For Bugzilla versions 5.x through 5.0.0, update to version 5.0.1 or later.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugzilla