Test ID:	1.3.6.1.4.1.25623.1.0.892672
Category:	Web application abuses
Title:	Bugzilla LDAP Code Injection And Security Bypass Vulnerabilities
Summary:	Bugzilla is prone to code injection and security bypass vulnerabilities.
Description:	Summary: Bugzilla is prone to code injection and security bypass vulnerabilities. Vulnerability Insight: The flaws are due to - When the user logs in using LDAP, the username is not escaped when building the uid=$username filter which is used to query the LDAP directory. This could potentially lead to LDAP injection. - Extensions are not protected against directory browsing and users can access the source code of the templates which may contain sensitive data. Vulnerability Impact: Successful exploitation will allow remote attackers to gain sensitive information and bypass security restriction on the affected site. Affected Software/OS: Bugzilla 2.x and 3.x to 3.6.11, 3.7.x and 4.0.x to 4.0.7, 4.1.x and 4.2.x to 4.2.2, and 4.3.x to 4.3.2 Solution: Upgrade to Bugzilla version 4.0.8, 4.2.3, 4.3.3 or higher. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-4747 Common Vulnerability Exposure (CVE) ID: CVE-2012-3981 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 https://bugzilla.mozilla.org/show_bug.cgi?id=785112 http://osvdb.org/85072 XForce ISS Database: bugzilla-ldap-data-manipulation(78193) https://exchange.xforce.ibmcloud.com/vulnerabilities/78193
Copyright	Copyright (C) 2012 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.