Vulnerability CVE-2007-0791 - CERT Civis.Net

Vulnerability Name:

CVE-2007-0791 (CCN-32248)

Assigned:

2007-02-02

Published:

2007-02-02

Updated:

2018-10-16

Summary:

Cross-site scripting (XSS) vulnerability in Atom feeds in Bugzilla 2.20.3, 2.22.1, and 2.23.3, and earlier versions down to 2.20.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS v3 Severity:

4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: BugTraq Mailing List, Fri Feb 02 2007 - 19:54:16 CST
Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3

Source: MITRE
Type: CNA
CVE-2007-0791

Source: OSVDB
Type: UNKNOWN
33090

Source: CCN
Type: SA24031
Bugzilla Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: UNKNOWN
24031

Source: SREASON
Type: UNKNOWN
2222

Source: CCN
Type: SECTRACK ID: 1017585
Bugzilla Input Validation Flaw in Atom Feeds Permits Cross-Site Scripting Attacks and Access Control Bug May Disclose Database Password

Source: SECTRACK
Type: UNKNOWN
1017585

Source: CCN
Type: Bugzilla Web site
Download- Bugzilla

Source: CONFIRM
Type: Vendor Advisory
http://www.bugzilla.org/security/2.20.3/

Source: CCN
Type: OSVDB ID: 33090
Bugzilla Atom Feeds Unspecified XSS

Source: BUGTRAQ
Type: UNKNOWN
20070203 Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3

Source: BID
Type: UNKNOWN
22380

Source: CCN
Type: BID-22380
Mozilla Bugzilla HTML Injection And Information disclosure Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2007-0477

Source: XF
Type: UNKNOWN
bugzilla-atom-feed-xss(32248)

Source: XF
Type: UNKNOWN
bugzilla-atom-feed-xss(32248)

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:bugzilla:2.20.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.22:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.22:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.22.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.23.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.23.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:bugzilla:2.21:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.22:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.22.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.23.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.22:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.23.2:*:*:*:*:*:*:*

Denotes that component is vulnerable