Lucene search
K
MozillaBugzilla

145 matches found

CVE
CVE
added 2011/08/09 7:0 p.m.62 views

CVE-2008-7292

Technical details for CVE-2008-7292 are not publicly provided in the supplied documents. Monitor for updates; the Bugzilla local-file disclosure described in the initial entry is not elaborated here.

2.1CVSS5.6AI score0.00384EPSS
CVE
CVE
added 2009/02/09 5:0 p.m.62 views

CVE-2009-0485

CVE-2009-0485 is a CSRF vulnerability in Bugzilla affecting 2.17–2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2. An attacker can cause deletion of unused flag types by delivering a crafted link or IMG tag to editflagtypes.cgi. The root cause is CSRF without sufficient user inter...

5.8CVSS6.6AI score0.00549EPSS
CVE
CVE
added 2019/04/29 3:34 p.m.62 views

CVE-2018-5123

CVE-2018-5123 describes a CSRF vulnerability in Bugzilla's report.cgi that can let a third party extract confidential information from a bug entry accessible to the victim. Affected are Bugzilla releases prior to 4.4; CVSS2 base 6.8 (NETWORK, no auth, partial confidentiality/integrity/availabilit...

8.8CVSS8.3AI score0.00504EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.61 views

CVE-2001-1407

Bugzilla before 2.14 is vulnerable: users can bypass group security by marking a bug as a duplicate of a restricted bug, which adds the user to the restricted bug’s CC list and lets them view it. Affected: Bugzilla ≤ 2.13 (pre-2.14). Root cause: bypass of group security checks via duplicate marki...

7.5CVSS7AI score0.01163EPSS
CVE
CVE
added 2009/09/15 10:0 p.m.61 views

CVE-2009-3125

CVE-2009-3125 : Bugzilla 3.3.2–3.4.1 and 3.5 are affected by an SQL injection in the Bug.search WebService, allowing remote attackers to execute arbitrary SQL via unspecified parameters. The issue is within Bugzilla’s web service layer and is tied to untrusted input used in SQL queries. Several c...

7.5CVSS8AI score0.01393EPSS
CVE
CVE
added 2010/02/03 7:0 p.m.61 views

CVE-2009-3387

CVE-2009-3387 affects Bugzilla 3.3.1–3.4.4, 3.5.1–3.5.2; the root cause is that group restrictions are not preserved when moving a bug to a different product category, enabling remote attackers to view sensitive information via a bug request in opportunistic circumstances. The provided documents ...

5CVSS5.9AI score0.017EPSS
CVE
CVE
added 2011/08/09 7:0 p.m.61 views

CVE-2011-2978

Bugzilla CVE-2011-2978: The vulnerability arises because Bugzilla does not prevent changes to the confirmation email address (old_email) when a user initiates an email change, allowing an attacker with access to another user’s session (e.g., an unattended workstation) to redirect the change notif...

5CVSS6.6AI score0.01713EPSS
CVE
CVE
added 2012/11/16 11:0 a.m.61 views

CVE-2012-4198

The CVE-2012-4198 issue affects Bugzilla’s WebService User.get method in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4rc1. Root cause: different outcomes for a groups request depending on whether a group exists, enabling remote authenticated users...

4CVSS6.1AI score0.00874EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.60 views

CVE-2001-1402

Bugzilla before 2.14 does not properly escape untrusted parameters, enabling cross-site scripting (XSS) and potentially SQL injection via multiple input points. Affected areas include reports.cgi (product/output form variables), showvotes.cgi (voteon, bug_id, user), createaccount.cgi (email), sho...

7.5CVSS7.6AI score0.01917EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.60 views

CVE-2003-1046

The CVE-2003-1046 entry concerns Bugzilla versions 2.17.3 and 2.17.4. Describecomponents.cgi fails to properly verify group membership when bug entry groups are used, allowing remote attackers to list component descriptions for products that should be restricted. The core issue is an insufficient...

7.5CVSS6.7AI score0.0135EPSS
CVE
CVE
added 2009/04/01 10:0 a.m.60 views

CVE-2009-1213

Bugzilla CSRF: CVE-2009-1213 is a vulnerability in attachment.cgi that affects Bugzilla 3.2 before 3.2.3 and 3.3 before 3.3.4 (and earlier versions). The flaw allows remote attackers to hijack a user’s authenticated session when performing attachment editing, via Cross‑Site Request Forgery. Impac...

6.8CVSS7AI score0.00691EPSS
CVE
CVE
added 2012/01/02 7:0 p.m.60 views

CVE-2011-3669

CVE-2011-3669 : CSRF vulnerability in Bugzilla’s attachment.cgi permits remote attackers to hijack the authentication of arbitrary users when uploading attachments. Affected software: Bugzilla 2.x, 3.x, and 4.x prior to 4.2rc1. Root cause: cross-site request forgery on the attachment upload path....

6.8CVSS7.1AI score0.00945EPSS
CVE
CVE
added 2012/07/28 6:0 p.m.60 views

CVE-2012-1968

Bugzilla HTML bugmails vulnerability (CVE-2012-1968): versions 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 serialize bug/attachment IDs with tooltips, but permission checks use the editor’s rights instead of the addressee’s. This can disclose confidential information via tooltips in HTML ...

4.3CVSS6.1AI score0.01457EPSS
CVE
CVE
added 2004/07/21 4:0 a.m.59 views

CVE-2004-0707

CVE-2004-0707 describes an SQL injection in Bugzilla’s editusers.cgi. The issue affects Bugzilla 2.16.x before 2.16.6 and 2.18 before 2.18rc1, allowing remote attackers with privileges to grant membership to any group to execute arbitrary SQL. The connected information confirms the vulnerable com...

7.5CVSS8.2AI score0.01025EPSS
CVE
CVE
added 2007/02/06 7:0 p.m.59 views

CVE-2007-0791

CVE-2007-0791 is a cross-site scripting (XSS) vulnerability in Bugzilla’s Atom feeds affecting Bugzilla versions 2.20.3, 2.22.1, 2.23.3, and older releases back to 2.20.1. The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors within Atom feeds. The conne...

4.3CVSS5.7AI score0.01188EPSS
CVE
CVE
added 2009/02/09 5:0 p.m.59 views

CVE-2009-0484

CVE-2009-0484 is a CSRF vulnerability in Bugzilla that allows remote attackers to delete shared or saved searches via a crafted link or IMG tag to buglist.cgi. Affected are Bugzilla 3.0.x before 3.0.7, 3.2.x before 3.2.1, and 3.3.x before 3.3.2. The underlying issue is cross-site request forgery ...

5.8CVSS6.6AI score0.00549EPSS
CVE
CVE
added 2010/11/05 4:28 p.m.59 views

CVE-2010-3764

Affected software/versions: Bugzilla 2.12–3.2.8, 3.4.8, 3.6.2, 3.7.3, 4.1.** Root cause / vulnerability:** Old Charts implementation creates graph files in graphs/ with predictable names, enabling remote attackers to retrieve sensitive information via a modified URL.** Impact:** Unauthorized disc...

5CVSS5.8AI score0.02391EPSS
CVE
CVE
added 2012/02/25 2:0 a.m.59 views

CVE-2012-0453

The CVE-2012-0453 entry describes a Cross-site Request Forgery (CSRF) vulnerability in Bugzilla versions 4.0.2–4.0.4 and 4.1.1–4.2rc2 when using mod_perl. The flaw allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product’s installation via the X...

5.1CVSS7AI score0.00826EPSS
CVE
CVE
added 2014/10/13 1:0 a.m.59 views

CVE-2014-1573

CVE-2014-1573 affects Bugzilla before fixes: 2.x–4.0.x before 4.0.15; 4.1.x and 4.2.x before 4.2.11; 4.3.x and 4.4.x before 4.4.6; and 4.5.x before 4.5.6. The issue arises from not ensuring scalar context for certain CGI parameters, enabling remote XSS via a single parameter name receiving three ...

4.3CVSS5.6AI score0.02326EPSS
CVE
CVE
added 2000/07/12 4:0 a.m.58 views

CVE-2000-0421

The CVE-2000-0421 entry corresponds to a vulnerability in Bugzilla where the process_bug.cgi script fails to sanitize user-supplied data, enabling remote arbitrary command execution. Technical documentation from connected sources confirms this flaw affects Bugzilla’s remote command execution via ...

7.5CVSS7.6AI score0.01741EPSS
CVE
CVE
added 2001/05/24 4:0 a.m.58 views

CVE-2001-0329

Bugzilla 2.10 is vulnerable to remote arbitrary command execution via shell metacharacters in a username, processed by (1) the Bugzilla_login cookie in post_bug.cgi or (2) the who parameter in process_bug.cgi. The root cause is lack of input sanitization in the CGI workflow, enabling an attacker ...

7.5CVSS7.6AI score0.03132EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.58 views

CVE-2002-0804

Bugzilla 2.14 (before 2.14.2) and 2.16 (before 2.16rc2) are vulnerable when configured to perform reverse DNS lookups. Remote attackers can bypass IP-based access restrictions by connecting from a host with a spoofed reverse DNS hostname. The provided materials do not specify a patch or workaround.

7.5CVSS6.8AI score0.01396EPSS
CVE
CVE
added 2005/05/14 4:0 a.m.58 views

CVE-2005-1563

Bugzilla 2.10–2.18, 2.19.1, and 2.19.2 contain an information-disclosure flaw: the error message differs depending on whether a product exists, enabling remote attackers to infer the existence of hidden products. This CVE (CVE-2005-1563) is documented across CVE/NVD/CVE List entries and related a...

5CVSS6.7AI score0.01289EPSS
CVE
CVE
added 2006/02/28 11:0 a.m.58 views

CVE-2006-0913

CVE-2006-0913 describes an SQL injection in the Bugzilla component for the web front end. The vulnerability affects Bugzilla versions 2.17 through 2.18.4 and 2.20, where remote authenticated users with administrative privileges can exploit the flaw via the whinedays parameter exposed from editpar...

5.5CVSS7.8AI score0.01018EPSS
CVE
CVE
added 2010/06/28 5:0 p.m.58 views

CVE-2010-0180

Bugzilla localconfig information disclosure (CVE-2010-0180) affects Bugzilla 3.5.1–3.6.1 and 3.7.x when use_suexec is enabled. World-readable permissions on localconfig can allow local users to read sensitive fields (e.g., database password, site_wide_secret). Related CVEs (CVE-2010-2470) note si...

1.9CVSS6.1AI score0.00236EPSS
CVE
CVE
added 2014/04/20 1:0 a.m.58 views

CVE-2014-1517

CVE-2014-1517 corresponds to a login CSRF flaw in Bugzilla 2.x/3.x/4.x before 4.4.3 and 4.5.x before 4.5.3. Multiple security advisories (Mageia MGASA-2014-0200, OpenVAS entries, Fedora updates) indicate a fix was released in Bugzilla packages; apply the vendor patch/update to the affected system...

4CVSS5.6AI score0.01314EPSS
CVE
CVE
added 2007/10/18 10:0 a.m.57 views

CVE-2002-2260

Vulnerability context (CVE-2002-2260) : Mozilla Bugzilla's quips feature is affected in versions 2.10–2.17, where an XSS vulnerability exists that lets remote attackers inject arbitrary script/HTML via the “show all quips” page. Several connected sources (including Debian’s DSA-218-1 and OpenVAS ...

4.3CVSS5.6AI score0.0109EPSS
CVE
CVE
added 2006/02/28 11:0 a.m.57 views

CVE-2006-0914

The CVE-2006-0914 entry affects Bugzilla versions 2.16.10, 2.17 through 2.18.4, and 2.20. The vulnerability arises because character handling in the mostfreqthreshold parameter within duplicates.cgi is insufficient, allowing remote attackers to trigger a SQL error. This is documented across multi...

5.5CVSS6.9AI score0.01131EPSS
CVE
CVE
added 2007/08/27 9:0 p.m.57 views

CVE-2007-4538

CVE-2007-4538 affects Bugzilla 2.23.4–3.0.0 via the email_in.pl path. The vulnerability arises when using Email::Send::Sendmail with the -f From address, enabling remote attackers to inject shell metacharacters and execute arbitrary commands. Exploitation is described in multiple sources (includi...

5CVSS7.4AI score0.01921EPSS
CVE
CVE
added 2004/07/21 4:0 a.m.56 views

CVE-2004-0703

CVE-2004-0703 describes a privilege-escalation issue in Bugzilla’s administrative controls. Versions 2.17.1–2.17.7 allow users with grant membership privileges to grant memberships to groups the user does not control, enabling broader access within the Bugzilla installation. The vulnerability is ...

7.5CVSS6.5AI score0.01118EPSS
CVE
CVE
added 2006/10/23 5:0 p.m.56 views

CVE-2006-5455

CVE-2006-5455 is a CSRF vulnerability in Bugzilla’s editversions.cgi that allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL. Affected releases are Bugzilla versions before 2.22.1 and 2.23.x before 2.23.3. The root cause is insufficient CSRF...

2.6CVSS6.7AI score0.01573EPSS
CVE
CVE
added 2007/02/06 7:0 p.m.56 views

CVE-2007-0792

The CVE-2007-0792 entry describes a vulnerability in Bugzilla 2.23.3 where the mod_perl initialization script fails to set the Bugzilla Apache configuration to permit .htaccess overrides of file permissions. This allows remote attackers to directly request the localconfig file and obtain the data...

7.5CVSS6.6AI score0.01322EPSS
CVE
CVE
added 2007/09/24 12:0 a.m.56 views

CVE-2007-5038

CVE-2007-5038 affects Bugzilla WebService: offer_account_by_email in User.pm does not validate the createemailregexp parameter, permitting remote creation of accounts that would be denied by the email regexp. Affected versions are Bugzilla before 3.0.2 and 3.1.x before 3.1.2. Exploitation would b...

7.5CVSS6.5AI score0.01955EPSS
CVE
CVE
added 2009/02/09 6:0 p.m.56 views

CVE-2008-6098

CVE-2008-6098 affects Bugzilla variants (e.g., Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and related versions). The vulnerability lets remote authenticated users bypass moderation to approve/disapprove quips via a direct request to quips.cgi with actio...

4CVSS6.1AI score0.01146EPSS
CVE
CVE
added 2010/08/13 7:0 p.m.56 views

CVE-2010-2758

CVE-2010-2758 concerns Bugzilla where error messages differ depending on whether a product exists, enabling remote users to enumerate product names. Affected versions include Bugzilla 2.17.1–3.2.7, 3.3.1–3.4.7, 3.5.1–3.6.1, and 3.7–3.7.2. The connected documents reference Fedora/OpenVAS advisorie...

5CVSS6.4AI score0.01411EPSS
CVE
CVE
added 2011/08/09 7:0 p.m.56 views

CVE-2011-2976

Bugzilla (Bugzilla) XSS vulnerability CVE-2011-2976 affects Bugzilla 2.16rc1–2.22.7, 3.0.x–3.3.x, and 3.4.x before 3.4.12. The issue allows remote attackers to inject arbitrary web script or HTML via vectors involving the BUGLIST cookie. No remediation details are provided in the connected docume...

4.3CVSS5.5AI score0.01446EPSS
CVE
CVE
added 2013/02/24 11:0 a.m.56 views

CVE-2013-0786

The CVE-2013-0786 issue affects Bugzilla 2.x and 3.x before 3.6.13, and 4.0.x before 4.0.10, where Bugzilla::Search::build_subselect generates different error messages for invalid product queries depending on product existence. This behavior allows remote attackers to discover private product nam...

5CVSS6.5AI score0.01657EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.55 views

CVE-2001-1401

Bugzilla before 2.14 contains an access-control flaw where confidential bugs can be viewed by manipulating bug id parameters in multiple scripts (process_bug.cgi, show_activity.cgi, showvotes.cgi, showdependencytree.cgi, showdependencygraph.cgi, showattachment.cgi, describecomponents.cgi). The un...

7.5CVSS7AI score0.01672EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.55 views

CVE-2002-0805

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 contain two issues: (1) creation of new directories with world-writable permissions, and (2) creation of the params file with world-writable permissions. These flaws allow local users to modify the files and execute code. The provided sources co...

4.6CVSS6.5AI score0.00328EPSS
CVE
CVE
added 2003/07/29 4:0 a.m.55 views

CVE-2003-0603

CVE-2003-0603 affects Bugzilla up to 2.16.2/2.17.x: local users could overwrite arbitrary files via a symlink attack on temporary files created in world- or group-writable directories. Root cause: insecure handling of temporary filenames leading to symlink exploits. Impact: local privilege or fil...

2.1CVSS6.4AI score0.00295EPSS
CVE
CVE
added 2009/02/09 5:0 p.m.55 views

CVE-2009-0486

CVE-2009-0486 (Bugzilla) affects Bugzilla 3.2.1, 3.0.7, and 3.3.2 when run under mod_perl, where startup srand seeds produce identical pseudorandom numbers for tokens, allowing remote attackers to bypass CSRF protections and perform actions as other users. The vulnerability is documented with a b...

7.5CVSS6.7AI score0.00571EPSS
CVE
CVE
added 2012/01/02 7:0 p.m.55 views

CVE-2011-3667

CVE-2011-3667 affects Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3. The root cause is that when createemailregexp is not empty, Bugzilla does not properly apply the user_can_create_account setting, allowing remote attacker...

6.8CVSS6.4AI score0.01067EPSS
CVE
CVE
added 2012/04/27 8:0 p.m.55 views

CVE-2012-0465

CVE-2012-0465 affects Bugzilla versions 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1. Root cause: improper validation of the X-Forwarded-For header when inbound_proxies is enabled, allowing bypass of the lockout policy via repeated authentication re...

4.3CVSS6.7AI score0.01234EPSS
CVE
CVE
added 2012/07/28 6:0 p.m.55 views

CVE-2012-1969

CVE-2012-1969 affects Bugzilla in multiple branches: get_attachment_link in Template.pm does not verify whether an attachment is private before showing its description in public comments, allowing read access to description text. Affected versions include Bugzilla 2.x and 3.x prior to 3.6.10, 3.7...

4.3CVSS5.9AI score0.01553EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.54 views

CVE-2002-0808

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 suffers a mass-change bug that resets the groupset of all bugs to the groupset of the first bug, potentially yielding insecure groupset permissions on some bugs. Affected components: Bugzilla mass-update logic affecting bug groupsets. Root cause...

7.5CVSS6.6AI score0.01116EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.54 views

CVE-2002-1196

CVE-2002-1196 affects Bugzilla: when using the “usebuggroups” feature and more than 47 groups are specified, editproducts.cgi in Bugzilla 2.14.x (before 2.14.4) and 2.16.x (before 2.16.1) does not correctly calculate bit values for large numbers, allowing extra permissions to be granted via Perl ...

7.5CVSS6.5AI score0.01589EPSS
CVE
CVE
added 2004/07/21 4:0 a.m.54 views

CVE-2004-0706

CVE-2004-0706 concerns Bugzilla 2.17.5 through 2.17.7 . The vulnerability is that Bugzilla embeds the database password in an image URL, which could allow local users to view the password via web server log files. The descriptions in the provided documents confirm the affected versions and the ro...

2.1CVSS6.5AI score0.00292EPSS
CVE
CVE
added 2006/02/28 11:0 a.m.54 views

CVE-2006-0915

CVE-2006-0915 concerns Bugzilla 2.16.10, where the application does not properly handle certain characters in the attachments parameters (maxpatchsize and maxattachmentsize) in attachment.cgi. This improper input handling can cause a remote SQL error, per the NVD description. The connected docume...

7.5CVSS6.9AI score0.0116EPSS
CVE
CVE
added 2008/05/07 8:7 p.m.54 views

CVE-2008-2103

CVE-2008-2103 describes a cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later, allowing remote attackers to inject arbitrary script/HTML via the id parameter in the Format for Printing and Long Format bug views. Connected sources confirm vendor advisories and OpenVAS/Nessus entr...

4.3CVSS5.5AI score0.01349EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.54 views

CVE-2010-4570

CVE-2010-4570 is an XSS vulnerability in Bugzilla’s duplicate-detection feature (Bugzilla 3.7.1/3.7.2/3.7.3/4.0rc1) where the summary field can be exploited via the DataTable widget in YUI to inject arbitrary script/HTML. Connected documents confirm the CVE is referenced among Bugzilla-related ad...

4.3CVSS5.6AI score0.01739EPSS
Total number of security vulnerabilities145