bugzilla -- multiple vulnerabilities
A Bugzilla Security Advisory reports:
Any user can change any flag on any bug, even if they
don't have access to that bug, or even if they can't
normally make bug changes. This also allows them to expose
the summary of a bug.
Bugs are inserted into the database before they are
marked as private, in Bugzilla code. Thus, MySQL
replication can lag in between the time that the bug is
inserted and when it is marked as private (usually less
than a second). If replication lags at this point, the bug
summary will be accessible to all users until replication
catches up. Also, on a very slow machine, there may be a
pause longer than a second that allows users to see the
title of the newly-filed bug.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright