CVE-2002-0010 Information

Feb 14, 2021 cve

Description

Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi (2) invalid field names from the \boolean chart\ query in buglist.cgi (3) the mybugslink parameter in userprefs.cgi (4) a malformed bug ID in the buglist parameter in long_list.cgi and (5) the value parameter in editusers.cgi which allows groupset privileges to be modified by attackers with blessgroupset privileges.

Reference

http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html http://archives.neohapsis.com/archives/bugtraq/2002-01/0052.html http://bugzilla.mozilla.org/show_bug.cgi?id=108812 http://bugzilla.mozilla.org/show_bug.cgi?id=108821 http://bugzilla.mozilla.org/show_bug.cgi?id=108822 http://bugzilla.mozilla.org/show_bug.cgi?id=109679 http://bugzilla.mozilla.org/show_bug.cgi?id=109690 http://rhn.redhat.com/errata/RHSA-2002-001.html http://www.bugzilla.org/bugzilla2.14to2.14.1.patch http://www.bugzilla.org/security2_14_1.html http://www.iss.net/security_center/static/7807.php http://www.iss.net/security_center/static/7809.php http://www.iss.net/security_center/static/7811.php http://www.iss.net/security_center/static/7813.php http://www.iss.net/security_center/static/7814.php http://www.securityfocus.com/bid/3801 http://www.securityfocus.com/bid/3802 http://www.securityfocus.com/bid/3804 http://www.securityfocus.com/bid/3805

Share on: