CVE-2014-1546

CWE-352 — Cross-Site Request Forgery (CSRF)7 documents5 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 55.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedAug 14

Latest updateMay 17

Description

The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_…

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/bugzilla113 versions+112

🔴Vulnerability Details

GHSA

GHSA-xmqw-mh3q-89r9: The response function in the JSONP endpoint in WebService/Server/JSONRPC↗2022-05-17

▶

CVEList

CVE-2014-1546: The response function in the JSONP endpoint in WebService/Server/JSONRPC↗2014-08-14

▶

💥Exploits & PoCs

Exploit-DB

Palo Alto Traps Server 3.1.2.1546 - Persistent Cross-Site Scripting↗2015-03-31

▶

💬Community

Bugzilla

CVE-2014-1546 bugzilla: Cross Site Request Forgery issue with Bugzilla's JSONP endpoint↗2014-07-25

▶

Bugzilla

CVE-2014-1546 bugzilla: Cross Site Request Forgery issue with Bugzilla's JSONP endpoint [fedora-all]↗2014-07-25

▶