Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
BugZilla BugList.CGI SQL查询操控漏洞
Vulnerability Description
Bugzilla 2.14.1之前版本存在漏洞。远程攻击者借助(1)buglist.cgi中的sql参数,(2)buglist.cgi中"boolean chart"查询的无效字段名,(3)userprefs.cgi中的mybugslink参数,(4)long_list.cgi中buglist参数的畸形漏洞ID,以及(5)editusers.cgi中的value参数注入任意SQL代码以及创建文件或者提升特权,具有blessgroupset特权的攻击者可以修改groupset特权。
CVSS Information
N/A
Vulnerability Type
N/A