The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-01-02T19:00:00

Updated: 2024-08-06T23:46:02.642Z

Reserved: 2011-09-23T00:00:00

Link: CVE-2011-3667

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-01-02T19:55:01.670

Modified: 2024-11-21T01:30:58.080

Link: CVE-2011-3667

cve-icon Redhat

No data.