Information disclosure in Bugzilla - CVE-2015-8509
Published: January 3, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40562
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-8509
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Bugzilla
Bugzilla
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code.
How to mitigate CVE-2015-8509
Install update from vendor's website.
Sources
- http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html
- http://seclists.org/bugtraq/2015/Dec/131
- http://www.securityfocus.com/bid/79662
- http://www.securitytracker.com/id/1034556
- https://bugzilla.mozilla.org/show_bug.cgi?id=1232785
- https://www.bugzilla.org/security/4.2.15/