CVE-2015-4499

CWE-20 — Improper Input Validation7 documents4 sources

Severity

7.5HIGH

EPSS

1.6%

top 18.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedSep 14

Latest updateMay 17

Description

Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDmozilla/bugzilla186 versions+185

Patches

Patch: seclists.org ↗Patch: seclists.org ↗Patch: seclists.org ↗

🔴Vulnerability Details

GHSA

GHSA-cmch-rp3j-f57g: Util↗2022-05-17

▶

CVEList

CVE-2015-4499: Util↗2015-09-14

▶

💬Community

Bugzilla

CVE-2015-4499 bugzilla: Email address is not properly validated during registration [epel-6]↗2015-09-11

▶

Bugzilla

CVE-2015-4499 bugzilla: Email address is not properly validated during registration [fedora-all]↗2015-09-11

▶

Bugzilla

CVE-2015-4499 bugzilla: Email address is not properly validated during registration↗2015-09-11

▶

Bugzilla

CVE-2015-4499 bugzilla: Email address is not properly validated during registration [epel-5]↗2015-09-11

▶