Cross-site request forgery in Bugzilla - CVE-2018-5123
Published: February 19, 2018 / Updated: February 20, 2018
Vulnerability identifier: #VU10660
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-5123
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Bugzilla
Bugzilla
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.
The weakness exists in the image generation function in 'report.cgi' due to access control flaw. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
The weakness exists in the image generation function in 'report.cgi' due to access control flaw. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
How to mitigate CVE-2018-5123
The vulnerability is addressed in the following versions: 4.4.13, 5.0.4.