CVE-2014-1572 — Vulnetix

Try Vulnetix Request Demo

CVE-2014-1572 PUBLISHED

Reported by mozilla · Published October 13, 2014

The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted.

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
n/a	n/a	n/a

Timeline

Oct 13, 2014 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score
Jul 10, 2023 EPSS Score

References

x_refsource_MISC
MDVSA-2014:200 vendor-advisoryx_refsource_MANDRIVA
x_refsource_MISC
x_refsource_CONFIRM
[oss-security] 20141007 "New Class of Vulnerability in Perl Web Applications" mailing-listx_refsource_MLIST
FEDORA-2014-12591 vendor-advisoryx_refsource_FEDORA
x_refsource_MISC
x_refsource_MISC
x_refsource_CONFIRM
x_refsource_CONFIRM
GLSA-201607-11 vendor-advisoryx_refsource_GENTOO
FEDORA-2014-12584 vendor-advisoryx_refsource_FEDORA
FEDORA-2014-12530 vendor-advisoryx_refsource_FEDORA
1030978 vdb-entryx_refsource_SECTRACK

Open in Interactive Console →