Vulnerability Description
Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Bugzilla | 2.16 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/45501Vendor Advisory
- http://www.bugzilla.org/security/3.4.11/Vendor Advisory
- http://www.debian.org/security/2011/dsa-2322
- http://www.osvdb.org/74301
- http://www.securityfocus.com/bid/49042
- https://bugzilla.mozilla.org/show_bug.cgi?id=670868Patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69036
- http://secunia.com/advisories/45501Vendor Advisory
- http://www.bugzilla.org/security/3.4.11/Vendor Advisory
- http://www.debian.org/security/2011/dsa-2322
- http://www.osvdb.org/74301
- http://www.securityfocus.com/bid/49042
- https://bugzilla.mozilla.org/show_bug.cgi?id=670868Patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69036
FAQ
What is CVE-2011-2978?
CVE-2011-2978 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-m...
How severe is CVE-2011-2978?
CVE-2011-2978 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-2978?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Bugzilla.