Home page logo

oss-sec logo oss-sec mailing list archives

CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation)
From: Christian Hoffmann <hoffie () gentoo org>
Date: Wed, 07 May 2008 20:42:47 +0200


can we please get CVE ids assigned for the three issues mentioned in the release announcement [1] of the new bugzilla versions?

* Users without the "canconfirm" privilege could enter a bug as
  NEW or ASSIGNED by using the XML-RPC interface.

* When viewing several bugs at once, there was a Cross-Site
  Scripting hole.

* The inbound email interface allowed you to set the Reporter via
  the text of the email, instead of just using the From header.

[1] http://www.bugzilla.org/security/2.20.5/

Christian Hoffmann

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]