|
Description
|
|
Multiple vulnerabilities have been identified in Bugzilla, which could be exploited by remote attackers to execute arbitrary scripting code, disclose sensitive information, or bypass security restrictions.
The first issue is due to input validation errors when displaying malformed page headers, descriptions of products, components, and other items, which could be exploited by malicious users and administrators to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
The second flaw is due to an error when viewing attachments in "diff" mode, which could allow users who are not members of "insidergroup" to read the descriptions of all attachments.
The third issue is due to an error where the "deadline" field is exposed in the XML format of a bug to all users.
The fourth vulnerability is due to errors in the administrative interface that does not validate certain parameters supplied via HTTP POST and GET requests, which could be exploited by malicious people to manipulate certain information via cross-site request forgery attacks.
The fifth flaw is due to input validation errors in the "showdependencygraph.cgi" script, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
|
