Bugzilla CVE-2012-0453 Cross Site Request Forgery Vulnerability

Bugtraq ID:	52135
Class:	Input Validation Error
CVE:	CVE-2012-0453
Remote:	Yes
Local:	No
Published:	Feb 23 2012 12:00AM
Updated:	Apr 13 2015 10:24PM
Credit:	Mario Gomes
Vulnerable:	Mozilla Bugzilla 4.1.3 Mozilla Bugzilla 4.1.1 Mozilla Bugzilla 4.0.4 Mozilla Bugzilla 4.0.3 Mozilla Bugzilla 4.0.2 Mozilla Bugzilla 4.2rc2 Mozilla Bugzilla 4.2rc1
Not Vulnerable:	Mozilla Bugzilla 4.0.5 Mozilla Bugzilla 4.2

Bugzilla CVE-2012-0453 Cross Site Request Forgery Vulnerability

Bugzilla is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to make changes to bugs or perform certain administrative actions. Other attacks are also possible.

Bugzilla versions 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2 are vulnerable.

Bugzilla CVE-2012-0453 Cross Site Request Forgery Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim to follow a malicious URI or visit a malicious website.

Bugzilla CVE-2012-0453 Cross Site Request Forgery Vulnerability

Solution:
Updates are available. Please see the references for more information.

Bugzilla CVE-2012-0453 Cross Site Request Forgery Vulnerability

References:

• 4.2rc2 and 4.0.4 Security Advisory (Mozilla)
  
• Bug 725663 - (CVE-2012-0453) [SECURITY] CSRF vulnerability in the XML-RPC API wh (Mozilla)
  
• Bugzilla Homepage (Bugzilla)