FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bugzilla -- Cross-Site Request Forgery

Affected packages
2.0.0 <= bugzilla40 < 4.4.3
2.0.0 <= bugzilla42 < 4.4.3
2.0.0 <= bugzilla44 < 4.4.3

Details

VuXML ID 608ed765-c700-11e3-848c-20cf30e32f6d
Discovery 2014-04-17
Entry 2014-04-18
Modified 2014-04-18

A Bugzilla Security Advisory reports:

The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. If the victim then reports a new security sensitive bug, the attacker would get immediate access to this bug.

Due to changes involved in the Bugzilla API, this fix is not backported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12 and older, and 4.2.8 and older, will remain vulnerable to this issue.

References

CVE Name CVE-2014-1517
URL https://bugzilla.mozilla.org/show_bug.cgi?id=713926