7.5

CVE-2009-0486

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaBugzilla Version3.0.7
MozillaBugzilla Version3.2.1
MozillaBugzilla Version3.3.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.57% 0.426
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://secunia.com/advisories/34361
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html
http://www.bugzilla.org/security/3.0.7/
Vendor Advisory
http://www.securityfocus.com/bid/33581