https://bugzilla.redhat.com/show_bug.cgi?id=1546886
Bug ID: 1546886 Summary: CVE-2018-5123 bugzilla: CSRF in report.cgi allows to extract confidential information from a bug Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: bazanluis20@gmail.com, emmanuel@seyman.fr, itamar@ispbrasil.com.br, perl-devel@lists.fedoraproject.org
A flaw was found in Bugzilla Bugzilla 2.16rc1 to 4.4.12, 4.5.1 to 5.0.3. A Cross-Site Request Forgery (CSRF) vulnerability in report.cgi would allow a third-party site to extract confidential information from a bug the victim had access to.
References: https://packetstormsecurity.com/files/146473/bugzilla45-xsrf.txt https://bugzilla.mozilla.org/show_bug.cgi?id=1433400
Patch: https://bugzilla.mozilla.org/attachment.cgi?id=8950824&action=edit [4.4] https://bugzilla.mozilla.org/attachment.cgi?id=8951341&action=edit [5.0]