CVE-2011-3667 — Improper Authentication in Mozilla Bugzilla

CWE-287 — Improper Authentication6 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.5%
top 35.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Bugzilla
Timeline
PublishedJan 2
Latest updateMay 17

Description

The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

â–¶NVDmozilla/bugzilla144 versions+143

🔴Vulnerability Details

2
GHSA
GHSA-j234-73mf-fxmv: The User↗2022-05-17
â–¶
CVEList
CVE-2011-3667: The User↗2012-01-02
â–¶

💬Community

3
Bugzilla
CVE-2011-3657 CVE-2011-3667 CVE-2011-3668 CVE-2011-3669 bugzilla: multiple security flaws fixed in 4.1.3, 4.0.2, 3.6.6, and 3.4.12 [fedora-all]↗2012-01-03
â–¶
Bugzilla
CVE-2011-3657 CVE-2011-3667 CVE-2011-3668 CVE-2011-3669 bugzilla: multiple security flaws fixed in 4.1.3, 4.0.2, 3.6.6, and 3.4.12 [epel-all]↗2012-01-03
â–¶
Bugzilla
CVE-2011-3657 CVE-2011-3667 CVE-2011-3668 CVE-2011-3669 bugzilla: multiple security flaws fixed in 4.1.3, 4.0.2, 3.6.6, and 3.4.12↗2011-12-29
â–¶
CVE-2011-3667 — Improper Authentication in Mozilla | cvebase