|
Family: CGI abuses --> Category: infos
Bugzilla Multiple Flaws (2) Vulnerability Scan
Vulnerability Scan Summary Searches for the existence of bugzilla
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a CGI application that suffers from
multiple flaws.
Description :
The remote Bugzilla bug tracking system, according to its version
number, is vulnerable to various flaws :
- An administratrator may be able to execute arbitrary SQL commands on
the remote host.
- There are instances of information leaks which may let a possible hacker
know the database password (under certain circumstances, 2.17.x only)
or obtain the names of otherwise hidden products.
- A user with grant membership rights may escalate his rights
and belong to another group.
- There is a cross site scripting issue in the administrative web
interface.
- Users passwords may be embedded in URLs (2.17.x only).
- Several information leaks that may allow users to acertain the
names of other users and non-users to obtain a list of products,
including those that administrators might want to keep confidential.
See also :
http://www.bugzilla.org/security/
Solution :
Upgrade to 2.16.6 or 2.20 or later.
Threat Level:
Low / CVSS Base Score : 3
(AV:R/AC:L/Au:R/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|