CVE-2011-2978 Information

Description

Bugzilla 2.16rc1 through 2.22.7 3.0.x through 3.3.x 3.4.x before 3.4.12 3.5.x 3.6.x before 3.6.6 3.7.x 4.0.x before 4.0.2 and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation.

Reference

http://secunia.com/advisories/45501 http://www.bugzilla.org/security/3.4.11/ http://www.debian.org/security/2011/dsa-2322 http://www.osvdb.org/74301 http://www.securityfocus.com/bid/49042 https://bugzilla.mozilla.org/show_bug.cgi?id=670868 https://exchange.xforce.ibmcloud.com/vulnerabilities/69036