FreeBSD Local Security Checks : FreeBSD Ports: bugzilla

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.72601

Categoría: FreeBSD Local Security Checks

Título: FreeBSD Ports: bugzilla

Resumen: The remote host is missing an update to the system; as announced in the referenced advisory.

Descripción: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory.

Vulnerability Insight:
The following package is affected: bugzilla

CVE-2012-4199
template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before
3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4,
and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls
containing private product names or private component names in certain
circumstances involving custom-field visibility control, which allows
remote attackers to obtain sensitive information by reading HTML
source code.
CVE-2012-4198
The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x
and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and
4.4.x before 4.4rc1 has a different outcome for a groups request
depending on whether a group exists, which allows remote authenticated
users to discover private group names by observing whether a call
throws an error.
CVE-2012-4197
Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x
before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before
4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to
read attachment descriptions from private bugs via an obsolete=1
insert action.
CVE-2012-4189
Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x
before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote
attackers to inject arbitrary web script or HTML via a field value
that is not properly handled during construction of a tabular report,
as demonstrated by the Version field.

Solution:
Update your system with the appropriate patches or
software upgrades.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-4199
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
XForce ISS Database: bugzilla-custom-fields-info-disclosure(80029)
https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
Common Vulnerability Exposure (CVE) ID: CVE-2012-4198
Common Vulnerability Exposure (CVE) ID: CVE-2012-4197
XForce ISS Database: bugzilla-attachment-info-disc(80032)
https://exchange.xforce.ibmcloud.com/vulnerabilities/80032
Common Vulnerability Exposure (CVE) ID: CVE-2012-4189

Copyright Copyright (C) 2012 E-Soft Inc.

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.72601
Categoría:	FreeBSD Local Security Checks
Título:	FreeBSD Ports: bugzilla
Resumen:	The remote host is missing an update to the system; as announced in the referenced advisory.
Descripción:	Summary: The remote host is missing an update to the system as announced in the referenced advisory. Vulnerability Insight: The following package is affected: bugzilla CVE-2012-4199 template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code. CVE-2012-4198 The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error. CVE-2012-4197 Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action. CVE-2012-4189 Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the Version field. Solution: Update your system with the appropriate patches or software upgrades. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2012-4199 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 XForce ISS Database: bugzilla-custom-fields-info-disclosure(80029) https://exchange.xforce.ibmcloud.com/vulnerabilities/80029 Common Vulnerability Exposure (CVE) ID: CVE-2012-4198 Common Vulnerability Exposure (CVE) ID: CVE-2012-4197 XForce ISS Database: bugzilla-attachment-info-disc(80032) https://exchange.xforce.ibmcloud.com/vulnerabilities/80032 Common Vulnerability Exposure (CVE) ID: CVE-2012-4189
Copyright	Copyright (C) 2012 E-Soft Inc.