• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Bugzilla Local Dependency Graph HTML Injection Vulnerability

Bugzilla versions 2.16 and later include a feature that allows users to generate bug dependency graphs on their local system via the GraphViz suite. HTML will not be sanitized when these graphs are generated. Malicious HTML and script code may be included in bug summaries.

This may be exploited to cause HTML or script code to be interpreted by the web client of a user who generate a dependency graph which contains malicious data.

Earlier versions of Bugzilla which are configured use a remote server to generate dependency graphs are not affected by this vulnerability.