CVE-2009-3166 — Mozilla Bugzilla vulnerability

CWE-2553 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.4%

top 41.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedSep 15

Latest updateMay 2

Description

token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/bugzilla3.4, 3.4.1+1

Patches

Patch: www.bugzilla.org ↗Patch: www.securityfocus.com ↗Patch: www.bugzilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-cmrv-4pg3-2v25: token↗2022-05-02

▶

CVEList

CVE-2009-3166: token↗2009-09-15

▶