Bugzilla Multiple Vulnerabilities Fixed by 4.2.16, 4.4.11 and 5.0.2


Description   (#Several vulnerabilities have been identified in Bugzilla:#- CVE-2015-8508: stored cross-site scripting in generated map files via escaped HTML characters injection in a bug summary#- CVE-2015-8509: information leak. A remote attacker could exploit it via a specially crafted external web page in order to access buglists generated by Bugzilla in CSV format on the user's computer.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 22, 23FreeBSD (FreeBSD) - AllVulnerable Software:
Bugzilla (Mozilla) - 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, ..., 4.5.4, 4.5.5, 4.5.6, 5.0, 5.0.1
     
Solution   Fixed bugzilla packages for Fedora 22 are available.
     
CVE   CVE-2015-8509
CVE-2015-8508
     
References   - VuXML : Bugzilla security issues
http://www.vuxml.org/freebsd/54075861-a95a-11e5-8b40-20cf30e32f6d.html
- Bugzilla : 5.0.1, 4.4.10, and 4.2.15 Security Advisory
https://www.bugzilla.org/security/4.2.15/
- FEDORA-2015-247b517a18 : Fedora 23 Update: bugzilla-4.4.11-1.fc23
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175113.html
- FEDORA-2015-caf3f74321 : Fedora 22 Update: bugzilla-4.4.11-1.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175209.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-12-22 

 Target Type 
Server 

 Possible exploit 
Remote