CGI abuses : Bugzilla Multiple Flaws (2)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.13635

Categoría: CGI abuses

Título: Bugzilla Multiple Flaws (2)

Resumen: NOSUMMARY

Descripción: Description:

The remote Bugzilla bug tracking system, according to its version number, is
vulnerable to various flaws :

- An administratrator may be able to execute arbitrary SQL commands on the
remote host

- There are instances of information leaks which may let an attacker know
the database password (under certain circumstances, 2.17.x only) or obtain
the names of otherwise hidden products

- A user with grant membership privileges may escalate his privileges
and belong to another group

- There is a cross site scripting issue in the administrative web interface

- Users passwords may be embedded in URLs (2.17.x only)

Solution : Upgrade to 2.16.6 or 2.18rc1
Risk factor : Medium

Referencia Cruzada: BugTraq ID: 10698
Common Vulnerability Exposure (CVE) ID: CVE-2004-0707
http://www.securityfocus.com/bid/10698
Bugtraq: 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 (Google Search)
http://marc.info/?l=bugtraq&m=108965446813639&w=2
XForce ISS Database: bugzilla-editusers-sql-injection(16668)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16668
Common Vulnerability Exposure (CVE) ID: CVE-2004-0706
XForce ISS Database: bugzilla-chart-view-password(16669)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16669
Common Vulnerability Exposure (CVE) ID: CVE-2004-0705
XForce ISS Database: bugzilla-edit-xss(16670)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16670
Common Vulnerability Exposure (CVE) ID: CVE-2004-0704
XForce ISS Database: bugzilla-product-name-disclosure(16671)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16671
Common Vulnerability Exposure (CVE) ID: CVE-2004-0703
XForce ISS Database: bugzilla-editusers-gain-privileges(16672)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16672
Common Vulnerability Exposure (CVE) ID: CVE-2004-0702
XForce ISS Database: bugzilla-database-password-disclosure(16673)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16673

Copyright This script is Copyright (C) 2004 Tenable Network Security

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.13635
Categoría:	CGI abuses
Título:	Bugzilla Multiple Flaws (2)
Resumen:	NOSUMMARY
Descripción:	Description: The remote Bugzilla bug tracking system, according to its version number, is vulnerable to various flaws : - An administratrator may be able to execute arbitrary SQL commands on the remote host - There are instances of information leaks which may let an attacker know the database password (under certain circumstances, 2.17.x only) or obtain the names of otherwise hidden products - A user with grant membership privileges may escalate his privileges and belong to another group - There is a cross site scripting issue in the administrative web interface - Users passwords may be embedded in URLs (2.17.x only) Solution : Upgrade to 2.16.6 or 2.18rc1 Risk factor : Medium
Referencia Cruzada:	BugTraq ID: 10698 Common Vulnerability Exposure (CVE) ID: CVE-2004-0707 http://www.securityfocus.com/bid/10698 Bugtraq: 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 (Google Search) http://marc.info/?l=bugtraq&m=108965446813639&w=2 XForce ISS Database: bugzilla-editusers-sql-injection(16668) https://exchange.xforce.ibmcloud.com/vulnerabilities/16668 Common Vulnerability Exposure (CVE) ID: CVE-2004-0706 XForce ISS Database: bugzilla-chart-view-password(16669) https://exchange.xforce.ibmcloud.com/vulnerabilities/16669 Common Vulnerability Exposure (CVE) ID: CVE-2004-0705 XForce ISS Database: bugzilla-edit-xss(16670) https://exchange.xforce.ibmcloud.com/vulnerabilities/16670 Common Vulnerability Exposure (CVE) ID: CVE-2004-0704 XForce ISS Database: bugzilla-product-name-disclosure(16671) https://exchange.xforce.ibmcloud.com/vulnerabilities/16671 Common Vulnerability Exposure (CVE) ID: CVE-2004-0703 XForce ISS Database: bugzilla-editusers-gain-privileges(16672) https://exchange.xforce.ibmcloud.com/vulnerabilities/16672 Common Vulnerability Exposure (CVE) ID: CVE-2004-0702 XForce ISS Database: bugzilla-database-password-disclosure(16673) https://exchange.xforce.ibmcloud.com/vulnerabilities/16673
Copyright	This script is Copyright (C) 2004 Tenable Network Security