CVE-2011-3667
Bugzilla < 3.4.13, < 3.6.7, < 4.0.3, <= 4.1.3 - Unauthenticated Account Creation
Title source: llmDescription
The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.
References (4)
Core 4
Core References
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2011-12/0184.html
Vendor Advisory x_refsource_confirm
http://www.bugzilla.org/security/3.4.12/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/72042
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=711714
Scores
EPSS
0.0107
EPSS Percentile
60.5%
Details
CWE
CWE-287
Status
published
Products (45)
mozilla/bugzilla
2.0
mozilla/bugzilla
2.2
mozilla/bugzilla
2.4
mozilla/bugzilla
2.6
mozilla/bugzilla
2.8
mozilla/bugzilla
2.9
mozilla/bugzilla
2.10
mozilla/bugzilla
2.12
mozilla/bugzilla
2.14
mozilla/bugzilla
2.14.1
... and 35 more
Published
Jan 02, 2012
Tracked Since
Feb 18, 2026