FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bugzilla -- Cross Site Request Forgery

Affected packages
bugzilla44 < 4.4.5

Details

VuXML ID 9defb2d6-1404-11e4-8cae-20cf30e32f6d
Discovery 2014-07-24
Entry 2014-07-25

A Bugzilla Security Advisory reports:

Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

References

CVE Name CVE-2014-1546