Information Disclosure Vulnerability in Bugzilla's get_attachment_link Function

Information Disclosure Vulnerability in Bugzilla's get_attachment_link Function

CVE-2012-1969 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:N/A:N

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment.

Learn more about our Web Application Penetration Testing UK.