CVE-2012-1969

Bugzilla < 3.6.10, 4.0.x < 4.0.7, 4.1.x-4.2.x < 4.2.2, 4.3.x < 4.3.2 - Information Disclosure

Title source: llm
STIX 2.1

Description

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment.

References (4)

Core 4
Core References
Issue Tracking x_refsource_confirm
http://www.bugzilla.org/security/3.6.9/
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=777586
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50040

Scores

EPSS 0.0155
EPSS Percentile 72.4%

Details

CWE
CWE-264
Status published
Products (45)
mozilla/bugzilla 2.0
mozilla/bugzilla 2.2
mozilla/bugzilla 2.4
mozilla/bugzilla 2.6
mozilla/bugzilla 2.8
mozilla/bugzilla 2.9
mozilla/bugzilla 2.10
mozilla/bugzilla 2.12
mozilla/bugzilla 2.14
mozilla/bugzilla 2.14.1
... and 35 more
Published Jul 30, 2012
Tracked Since Feb 18, 2026