Design/Logic Flaw

2012-01-0219:55:00

PRIOn knowledge base

www.prio-n.com

7 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

78.7%

JSON

The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.

CPENameOperatorVersion
bugzillaeq3.0.4
bugzillaeq3.0 rc1
bugzillaeq4.1.1
bugzillaeq3.1.3
bugzillaeq2.0
bugzillaeq2.18.6
bugzillaeq2.16.8
bugzillaeq3.0.0
bugzillaeq2.22.7
bugzillaeq3.7.2

Name	Operator	Version
bugzilla	eq	3.0.4
bugzilla	eq	3.0 rc1
bugzilla	eq	4.1.1
bugzilla	eq	3.1.3
bugzilla	eq	2.0
bugzilla	eq	2.18.6
bugzilla	eq	2.16.8
bugzilla	eq	3.0.0
bugzilla	eq	2.22.7
bugzilla	eq	3.7.2