4.3

CVE-2014-1546

The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaBugzilla Version3.0
MozillaBugzilla Version3.0 Updaterc1
MozillaBugzilla Version3.0.0
MozillaBugzilla Version3.0.1
MozillaBugzilla Version3.0.2
MozillaBugzilla Version3.0.3
MozillaBugzilla Version3.0.4
MozillaBugzilla Version3.0.5
MozillaBugzilla Version3.0.6
MozillaBugzilla Version3.0.7
MozillaBugzilla Version3.0.8
MozillaBugzilla Version3.0.9
MozillaBugzilla Version3.0.10
MozillaBugzilla Version3.0.11
MozillaBugzilla Version3.1.0
MozillaBugzilla Version3.1.1
MozillaBugzilla Version3.1.2
MozillaBugzilla Version3.1.3
MozillaBugzilla Version3.1.4
MozillaBugzilla Version3.2
MozillaBugzilla Version3.2 Updaterc1
MozillaBugzilla Version3.2 Updaterc2
MozillaBugzilla Version3.2.1
MozillaBugzilla Version3.2.2
MozillaBugzilla Version3.2.3
MozillaBugzilla Version3.2.4
MozillaBugzilla Version3.2.5
MozillaBugzilla Version3.2.6
MozillaBugzilla Version3.2.7
MozillaBugzilla Version3.2.8
MozillaBugzilla Version3.2.9
MozillaBugzilla Version3.2.10
MozillaBugzilla Version3.3
MozillaBugzilla Version3.3.1
MozillaBugzilla Version3.3.2
MozillaBugzilla Version3.3.3
MozillaBugzilla Version3.3.4
MozillaBugzilla Version3.4
MozillaBugzilla Version3.4 Updaterc1
MozillaBugzilla Version3.4.1
MozillaBugzilla Version3.4.2
MozillaBugzilla Version3.4.3
MozillaBugzilla Version3.4.4
MozillaBugzilla Version3.4.5
MozillaBugzilla Version3.4.6
MozillaBugzilla Version3.4.7
MozillaBugzilla Version3.4.8
MozillaBugzilla Version3.4.9
MozillaBugzilla Version3.4.10
MozillaBugzilla Version3.4.11
MozillaBugzilla Version3.4.12
MozillaBugzilla Version3.4.13
MozillaBugzilla Version3.5
MozillaBugzilla Version3.5.1
MozillaBugzilla Version3.5.2
MozillaBugzilla Version3.5.3
MozillaBugzilla Version3.6
MozillaBugzilla Version3.6 Updaterc1
MozillaBugzilla Version3.6.0
MozillaBugzilla Version3.6.1
MozillaBugzilla Version3.6.2
MozillaBugzilla Version3.6.3
MozillaBugzilla Version3.6.4
MozillaBugzilla Version3.6.5
MozillaBugzilla Version3.6.6
MozillaBugzilla Version3.6.7
MozillaBugzilla Version3.6.8
MozillaBugzilla Version3.6.9
MozillaBugzilla Version3.6.10
MozillaBugzilla Version3.6.11
MozillaBugzilla Version3.6.12
MozillaBugzilla Version3.6.13
MozillaBugzilla Version3.7
MozillaBugzilla Version3.7.1
MozillaBugzilla Version3.7.2
MozillaBugzilla Version3.7.3
MozillaBugzilla Version4.0
MozillaBugzilla Version4.0 Updaterc1
MozillaBugzilla Version4.0 Updaterc2
MozillaBugzilla Version4.0.1
MozillaBugzilla Version4.0.2
MozillaBugzilla Version4.0.3
MozillaBugzilla Version4.0.4
MozillaBugzilla Version4.0.5
MozillaBugzilla Version4.0.6
MozillaBugzilla Version4.0.7
MozillaBugzilla Version4.0.8
MozillaBugzilla Version4.0.9
MozillaBugzilla Version4.0.10
MozillaBugzilla Version4.0.11
MozillaBugzilla Version4.0.12
MozillaBugzilla Version4.0.13
MozillaBugzilla Version4.1
MozillaBugzilla Version4.1.1
MozillaBugzilla Version4.1.2
MozillaBugzilla Version4.1.3
MozillaBugzilla Version4.2
MozillaBugzilla Version4.2 Updaterc1
MozillaBugzilla Version4.2 Updaterc2
MozillaBugzilla Version4.2.1
MozillaBugzilla Version4.2.2
MozillaBugzilla Version4.2.3
MozillaBugzilla Version4.2.4
MozillaBugzilla Version4.2.5
MozillaBugzilla Version4.2.6
MozillaBugzilla Version4.2.7
MozillaBugzilla Version4.2.8
MozillaBugzilla Version4.2.9
MozillaBugzilla Version4.3
MozillaBugzilla Version4.3.1
MozillaBugzilla Version4.3.2
MozillaBugzilla Version4.3.3
MozillaBugzilla Version4.4 Update-
MozillaBugzilla Version4.4 Updaterc1
MozillaBugzilla Version4.4 Updaterc2
MozillaBugzilla Version4.4.1
MozillaBugzilla Version4.4.2
MozillaBugzilla Version4.4.3
MozillaBugzilla Version4.4.4
MozillaBugzilla Version4.5
MozillaBugzilla Version4.5.1
MozillaBugzilla Version4.5.2
MozillaBugzilla Version4.5.3
MozillaBugzilla Version4.5.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.54% 0.412
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://advisories.mageia.org/MGASA-2014-0349.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136217.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136369.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:169
http://www.securityfocus.com/archive/1/532895
http://www.securitytracker.com/id/1030648
https://bugzilla.mozilla.org/show_bug.cgi?id=1036213
Vendor Advisory