| |
Vulnerability CVE-2012-0465
Published: 2012-04-27 Modified: 2012-04-28
Description: |
Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header. |
See advisories in our WLB2 database: | Topic | Author | Date |
High |
| Multiple | 20.04.2012 |
Type:
CWE-264 (Permissions, Privileges, and Access Controls)
CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
4.3/10 |
2.9/10 |
8.6/10 |
Exploit range |
Attack complexity |
Authentication |
Remote |
Medium |
No required |
Confidentiality impact |
Integrity impact |
Availability impact |
Partial |
None |
None |
References: |
https://bugzilla.mozilla.org/show_bug.cgi?id=728639
http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html
|
|
|
Copyright 2024, cxsecurity.com
|
|
|