Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2002-0010

Disclosure Date: January 31, 2002 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the “boolean chart” query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

mozilla

Products

bugzilla

Weaknesses

NVD-CWE-Other

References

Canonical

CVE-2002-0010 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0010)

BID-3805 (http://www.securityfocus.com/bid/3805)

BID-3802 (http://www.securityfocus.com/bid/3802)

BID-3801 (http://www.securityfocus.com/bid/3801)

BID-3804 (http://www.securityfocus.com/bid/3804)

Advisory

20020106 Inproper input validation in Bugzilla <=2.14 - exploit (http://archives.neohapsis.com/archives/bugtraq/2002-01/0052.html)

XF-bugzilla-longlist-modify-sql(7811) (http://www.iss.net/security_center/static/7811.php)

XF-bugzilla-editusers-change-groupset(7814) (http://www.iss.net/security_center/static/7814.php)

XF-bugzilla-buglist-sql-logic(7813) (http://www.iss.net/security_center/static/7813.php)

http://rhn.redhat.com/errata/RHSA-2002-001.html

20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older (http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html)

XF-bugzilla-buglist-modify-sql(7807) (http://www.iss.net/security_center/static/7807.php)

http://www.bugzilla.org/security2_14_1.html

XF-bugzilla-userprefs-change-groupset(7809) (http://www.iss.net/security_center/static/7809.php)

Miscellaneous

http://bugzilla.mozilla.org/show_bug.cgi?id=108821

http://bugzilla.mozilla.org/show_bug.cgi?id=108812

http://www.bugzilla.org/bugzilla2.14to2.14.1.patch

http://bugzilla.mozilla.org/show_bug.cgi?id=108822

http://bugzilla.mozilla.org/show_bug.cgi?id=109679

http://bugzilla.mozilla.org/show_bug.cgi?id=109690

Rapid7

Technical Analysis