#VU10660 Cross-site request forgery in Bugzilla - CVE-2018-5123
Published: February 19, 2018 / Updated: February 20, 2018
Vulnerability identifier: #VU10660
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-5123
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Bugzilla
Bugzilla
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.
The weakness exists in the image generation function in 'report.cgi' due to access control flaw. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
The weakness exists in the image generation function in 'report.cgi' due to access control flaw. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
Remediation
The vulnerability is addressed in the following versions: 4.4.13, 5.0.4.