VDB
CVE-2014-1572
CVE-2014-1572
PUBLISHED
Reported by mozilla · Published October 13, 2014
The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| n/a | n/a | n/a, n/a |
Timeline
- Oct 13, 2014 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Jul 16, 2023 EPSS Score
References
- x_refsource_MISC
- MDVSA-2014:200 vendor-advisoryx_refsource_MANDRIVA
- x_refsource_MISC
- x_refsource_CONFIRM
- [oss-security] 20141007 "New Class of Vulnerability in Perl Web Applications" mailing-listx_refsource_MLIST
- FEDORA-2014-12591 vendor-advisoryx_refsource_FEDORA
- x_refsource_MISC
- x_refsource_MISC
- x_refsource_CONFIRM
- x_refsource_CONFIRM
- GLSA-201607-11 vendor-advisoryx_refsource_GENTOO
- FEDORA-2014-12584 vendor-advisoryx_refsource_FEDORA
- FEDORA-2014-12530 vendor-advisoryx_refsource_FEDORA
- 1030978 vdb-entryx_refsource_SECTRACK