FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Bugzilla multiple security issues

Affected packages
bugzilla44 < 4.4.7

Details

VuXML ID dc2d76df-a595-11e4-9363-20cf30e32f6d
Discovery 2015-01-21
Entry 2015-01-26

Bugzilla Security Advisory

Command Injection

Some code in Bugzilla does not properly utilize 3 arguments form for open() and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes.

Information Leak

Using the WebServices API, a user can possibly execute imported functions from other non-WebService modules. A whitelist has now been added that lists explicit methods that can be executed via the API.

References

CVE Name CVE-2014-8630
URL https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
URL https://bugzilla.mozilla.org/show_bug.cgi?id=1090275