oss-sec mailing list archives
Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation)
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 13 May 2008 13:07:11 +0200
Am Mittwoch 07 Mai 2008 schrieb Steven M. Christey:
====================================================== Name: CVE-2008-2104 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2104 Reference: CONFIRM:http://www.bugzilla.org/security/2.20.5/ Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=415471 Reference: BID:29038 Reference: URL:http://www.securityfocus.com/bid/29038 Reference: FRSIRT:ADV-2008-1428 Reference: URL:http://www.frsirt.com/english/advisories/2008/1428/references Reference: SECTRACK:1019968 Reference: URL:http://www.securitytracker.com/id?1019968 Reference: SECUNIA:30064 Reference: URL:http://secunia.com/advisories/30064 Reference: XF:bugzilla-xmlrpc-security-bypass(42218) Reference: URL:http://xforce.iss.net/xforce/xfdb/42218 The WebService in Bugzilla before 3.1.3 allows remote authenticated users without canconfirm privileges to create NEW or ASSIGNED bug entries via a request to the XML-RPC interface, which bypasses the canconfirm check.
I think this should be "3.1.3 and before" ? As 3.1.3 is also affected according to the upstream advisory. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno () hboeck de
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Christian Hoffmann (May 07)
- Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Steven M. Christey (May 07)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Hanno Böck (May 13)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Tomas Hoger (May 13)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Steven M. Christey (May 13)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Hanno Böck (May 13)
- Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Steven M. Christey (May 07)