PROBLEM:
A vulnerability has been reported in Bugzilla, which can be exploited by malicious people to conduct cross-site request forgery attacks.
PLATFORM:
Bugzilla 2.x
Bugzilla 3.x
Bugzilla 4.x
ABSTRACT:
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
reference LINKS:
Vendor Advisory
Secunia Advisory 48835
CVE-2012-0465
CVE-2012-0466
IMPACT ASSESSMENT:
Medium
Discussion:
When abusing the X-FORWARDED-FOR header, an attacker could bypass the lockout policy allowing a possible brute-force discovery of a valid user password.
An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page.
Impact:
Cross Site Scripting From Remote
Solution:
Update to version 3.6.9, 4.0.6, or 4.2.1, available at Bugzilla Downloads