Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.
References
Configurations
Configuration 1 (hide)
|
Information
Published : 2012-04-27 13:55
Updated : 2012-08-13 20:34
NVD link : CVE-2012-0465
Mitre link : CVE-2012-0465
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
mozilla
- bugzilla