New subject: [Bug 1295438] CVE-2015-8509 bugzilla: information leak when parsing the CSV file

4 Jan 2016


      https://bugzilla.redhat.com/show_bug.cgi?id=1295438
Bug ID: 1295438
           Summary: CVE-2015-8509 bugzilla: information leak when parsing
                    the CSV file
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: mprpic@redhat.com
                CC: bazanluis20@gmail.com, emmanuel@seyman.fr,
                    itamar@ispbrasil.com.br,
                    perl-devel@lists.fedoraproject.org
Upstream Bugzilla fixed the following issue:
If an external HTML page contains a <script> element with its src attribute
pointing to a buglist in CSV format, some web browsers incorrectly try to parse
the CSV file as valid JavaScript code. As the buglist is generated based on the
privileges of the user logged into Bugzilla, the external page could collect
confidential data contained in the CSV file.
This issue was fixed in versions 4.2.16, 4.4.11, and 5.0.2.
Upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1232785
-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1295438] New: CVE-2015-8509 bugzilla: information leak when parsing the CSV file