Debian DSA-218-1 : bugzilla - XSS

medium Nessus Plugin ID 15055

Synopsis

The remote Debian host is missing a security-related update.

Description

A cross site scripting vulnerability has been reported for Bugzilla, a web-based bug tracking system. Bugzilla does not properly sanitize any input submitted by users for use in quips. As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Bugzilla. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

This vulnerability only affects users who have the 'quips' feature enabled and who upgraded from version 2.10 which did not exist inside of Debian. The Debian package history of Bugzilla starts with 1.13 and jumped to 2.13. However, users could have installed version 2.10 prior to the Debian package.

Solution

Upgrade the bugzilla packages.

For the current stable distribution (woody) this problem has been fixed in version 2.14.2-0woody3.

The old stable distribution (potato) does not contain a Bugzilla package.

See Also

http://www.debian.org/security/2002/dsa-218

Plugin Details

Severity: Medium

ID: 15055

File Name: debian_DSA-218.nasl

Version: 1.25

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:bugzilla, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/30/2002

Vulnerability Publication Date: 11/9/2002

Reference Information

CVE: CVE-2002-2260

BID: 6257

CWE: 79

DSA: 218