Bugzilla contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords when the user is prompted to log in while attempting to view a chart. The user's password can be embedded as part of a report URL, and thus visible in the web server logs, which may lead to a loss of confidentiality.

Upgrade to version 2.18.1 or higher, or 2.19.3 or higher, as these versions have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Secunia Advisory ID: 15338
• Related OSVDB ID: 16425 16426
• CVE ID: 2005-1565 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0144.html
• Vendor Specific Advisory URL: http://www.bugzilla.org/security/2.16.8/
• Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=287436

• Roman Pszonka -
• Gervase Markham -
• Frédéric Buclin -
• Myk Melez -
• Joel Peshkin - bugreportpeshkin.net -
• Marc Schumann -