CVE-2015-8509
LOWBugzilla <4.2.16, <4.3.x, <4.4.11, <5.0.2 - Info Disclosure
Title source: llmDescription
Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code.
References (6)
Core 6
Core References
Mailing List mailing-list
x_refsource_bugtraq
http://seclists.org/bugtraq/2015/Dec/131
Exploit, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1232785
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/79662
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1034556
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html
Issue Tracking x_refsource_confirm
https://www.bugzilla.org/security/4.2.15/
Scores
CVSS v3
3.5
EPSS
0.0026
EPSS Percentile
49.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (50)
mozilla/bugzilla
2.0
mozilla/bugzilla
2.2
mozilla/bugzilla
2.4
mozilla/bugzilla
2.6
mozilla/bugzilla
2.8
mozilla/bugzilla
2.10
mozilla/bugzilla
2.12
mozilla/bugzilla
2.14
mozilla/bugzilla
2.14.1
mozilla/bugzilla
2.14.2
... and 40 more
Published
Jan 03, 2016
Tracked Since
Feb 18, 2026