CVE-2002-0010
First published: Thu Jan 10 2002(Updated: )
Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Bugzilla | <=2.14.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
- http://www.bugzilla.org/security2_14_1.html
- http://bugzilla.mozilla.org/show_bug.cgi?id=108812
- http://bugzilla.mozilla.org/show_bug.cgi?id=108822
- http://bugzilla.mozilla.org/show_bug.cgi?id=108821
- http://bugzilla.mozilla.org/show_bug.cgi?id=109690
- http://bugzilla.mozilla.org/show_bug.cgi?id=109679
- http://www.bugzilla.org/bugzilla2.14to2.14.1.patch
- http://rhn.redhat.com/errata/RHSA-2002-001.html
- http://www.securityfocus.com/bid/3801
- http://www.securityfocus.com/bid/3802
- http://www.securityfocus.com/bid/3804
- http://www.securityfocus.com/bid/3805
- http://www.iss.net/security_center/static/7807.php
- http://www.iss.net/security_center/static/7814.php
- http://www.iss.net/security_center/static/7813.php
- http://www.iss.net/security_center/static/7811.php
- http://www.iss.net/security_center/static/7809.php
- http://archives.neohapsis.com/archives/bugtraq/2002-01/0052.html
Frequently Asked Questions
What is the severity of CVE-2002-0010?
CVE-2002-0010 has a moderate severity due to its potential for SQL injection and privilege escalation.
How do I fix CVE-2002-0010?
To fix CVE-2002-0010, upgrade Bugzilla to version 2.14.1 or later.
Who is affected by CVE-2002-0010?
CVE-2002-0010 affects users of Bugzilla versions prior to 2.14.1.
What are the exploitation methods for CVE-2002-0010?
Exploitation methods for CVE-2002-0010 include injecting SQL code through parameters in buglist.cgi and userprefs.cgi.
What type of vulnerability is CVE-2002-0010?
CVE-2002-0010 is an SQL injection vulnerability affecting Bugzilla.
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/mozilla
- canonical/mozilla bugzilla
- version/mozilla bugzilla/2.14.1