CVE-2012-1969
Bugzilla < 3.6.10, 4.0.x < 4.0.7, 4.1.x-4.2.x < 4.2.2, 4.3.x < 4.3.2 - Information Disclosure
Title source: llmDescription
The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment.
References (4)
Core 4
Core References
Issue Tracking x_refsource_confirm
http://www.bugzilla.org/security/3.6.9/
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=777586
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50040
Scores
EPSS
0.0155
EPSS Percentile
72.4%
Details
CWE
CWE-264
Status
published
Products (45)
mozilla/bugzilla
2.0
mozilla/bugzilla
2.2
mozilla/bugzilla
2.4
mozilla/bugzilla
2.6
mozilla/bugzilla
2.8
mozilla/bugzilla
2.9
mozilla/bugzilla
2.10
mozilla/bugzilla
2.12
mozilla/bugzilla
2.14
mozilla/bugzilla
2.14.1
... and 35 more
Published
Jul 30, 2012
Tracked Since
Feb 18, 2026