oss-sec mailing list archives
Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation)
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 13 May 2008 14:06:32 +0200
On Tue, 13 May 2008 13:07:11 +0200 Hanno Böck <hanno () hboeck de> wrote:
The WebService in Bugzilla before 3.1.3 allows remote authenticated users without canconfirm privileges to create NEW or ASSIGNED bug entries via a request to the XML-RPC interface, which bypasses the canconfirm check.I think this should be "3.1.3 and before" ? As 3.1.3 is also affected according to the upstream advisory.
Probably "in Bugzilla 3.1.3": https://bugzilla.mozilla.org/show_bug.cgi?id=415471#c5 Frédéric Buclin 2008-05-04 14:58:19 PDT This regression was introduced by bug 402791 in Bugzilla 3.1.3. ? -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Christian Hoffmann (May 07)
- Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Steven M. Christey (May 07)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Hanno Böck (May 13)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Tomas Hoger (May 13)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Steven M. Christey (May 13)
- Re: Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Hanno Böck (May 13)
- Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation) Steven M. Christey (May 07)