QwikSec

Security Database

CVE

CWE

Training

CVE-2014-1546

Published: Aug 14, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

20140724 Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14

mailing-list

x_refsource_BUGTRAQ

https://bugzilla.mozilla.org/show_bug.cgi?id=1036213

x_refsource_CONFIRM

FEDORA-2014-8919

vendor-advisory

x_refsource_FEDORA

http://advisories.mageia.org/MGASA-2014-0349.html

x_refsource_CONFIRM

vendor-advisory

x_refsource_MANDRIVA

FEDORA-2014-8920

vendor-advisory

x_refsource_FEDORA

vdb-entry

x_refsource_SECTRACK

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.