Lucene search
K
MozillaBugzilla

145 matches found

CVE
CVE
added 2012/01/02 7:0 p.m.54 views

CVE-2011-3657

CVE-2011-3657 describes multiple XSS vulnerabilities in Bugzilla when debug mode is enabled. Affected products include Bugzilla 2.x and 3.x (up to 3.4.12/3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3). The flaws allow remote attackers to inject arbitr...

4.3CVSS5.5AI score0.01567EPSS
Web
CVE
CVE
added 2001/09/18 4:0 a.m.53 views

CVE-2001-0330

Bugzilla 2.10 contains a vulnerability where a remote attacker can access the database username and password by requesting the globals.pl file, which is served as plain text by the web server. The issue arises from exposing sensitive configuration data in a Perl CGI file. A fix is available in Bu...

7.5CVSS6.8AI score0.02058EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.53 views

CVE-2003-1043

CVE-2003-1043 : The vulnerability affects Bugzilla versions 2.16.3 and earlier, and 2.17.1–2.17.4, where remote authenticated users with editkeywords privileges can obtain arbitrary SQL through the id parameter to editkeywords.cgi. The issue is a SQL injection in Bugzilla’s editing keywords flow,...

10CVSS7.8AI score0.02572EPSS
CVE
CVE
added 2009/02/09 5:0 p.m.53 views

CVE-2009-0483

CVE-2009-0483 describes a Cross-site request forgery (CSRF) vulnerability in Bugzilla versions 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2. The flaw allows remote attackers to delete keywords and user preferences by delivering a crafted link or IMG tag to editkeyw...

5.8CVSS6.6AI score0.00599EPSS
CVE
CVE
added 2010/08/13 7:0 p.m.53 views

CVE-2010-2759

The CVE-2010-2759 entry applies to Bugzilla 2.23.1–3.2.7, 3.3.1–3.4.7, 3.5.1–3.6.1, and 3.7–3.7.2 when used with PostgreSQL. It describes a vulnerability where large integers in (1) bug and (2) attachment phrases are not handled correctly, allowing remote authenticated users to cause a denial of ...

4CVSS6AI score0.01828EPSS
CVE
CVE
added 2012/11/16 11:0 a.m.53 views

CVE-2012-4197

CVE-2012-4197 affects Bugzilla’s Attachment.pm in attachment.cgi, allowing remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action. Affected: Bugzilla 2.x/3.x before 3.6.12, 3.7.x, 4.0.x before 4.0.9, 4.1.x/4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4r...

5CVSS6.6AI score0.01543EPSS
Web
CVE
CVE
added 2012/11/16 11:0 a.m.53 views

CVE-2012-4199

CVE-2012-4199 concerns Bugzilla’s template file template/en/default/bug/field-events.js.tmpl, where JavaScript function calls can reveal private product or component names due to custom-field visibility controls. The issue affects Bugzilla 3.x up to 3.6.12, Bugzilla 3.7.x up to 4.0.9, Bugzilla 4....

4.3CVSS5.9AI score0.00962EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.52 views

CVE-2002-0810

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 contains an information leakage vulnerability in the syncshadowdb command. Error messages are written to HTML output, which could leak sensitive information, including plaintext passwords, if syncshadowdb fails. Affected versions should be updat...

5CVSS6.5AI score0.01196EPSS
CVE
CVE
added 2004/07/21 4:0 a.m.52 views

CVE-2004-0702

Bugzilla 2.17.1–2.17.7 is affected by CVE-2004-0702: the DBI layer displays the database password in an error message when the SQL server is not running, enabling potential information disclosure to remote attackers. The issue concerns the Bugzilla CGI/database interaction rather than input valid...

5CVSS7.5AI score0.01196EPSS
CVE
CVE
added 2007/08/27 9:0 p.m.52 views

CVE-2007-4539

CVE-2007-4539 concerns Bugzilla’s WebService (XML-RPC) interface. Affected product versions are Bugzilla 2.23.3 through 3.0.0. The root cause is that the XML-RPC interface does not enforce permissions for the time-tracking fields of bugs, enabling a remote attacker to obtain sensitive information...

5CVSS6AI score0.01649EPSS
CVE
CVE
added 2010/08/13 7:0 p.m.52 views

CVE-2010-2757

CVE-2010-2757 describes a vulnerability in Bugzilla where the sudo feature fails to send impersonation notifications, enabling remote authenticated users to impersonate other users without discovery. The description lists affected Bugzilla releases across multiple branches (2.22rc1–3.2.7, 3.3.1–3...

6.5CVSS6AI score0.01251EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.51 views

CVE-2002-0009

In Bugzilla versions before 2.14.1, a user with Bugs Access privileges could trigger information disclosure by submitting a bug and reading the resulting Product pulldown menu, revealing other products not accessible to them. The root cause is insufficient access controls around the Product pulld...

5CVSS6.9AI score0.01194EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.51 views

CVE-2002-0011

The CVE refers to Bugzilla, where the doeditvotes.cgi component in versions prior to 2.14.1 has an information leak that could allow remote attackers to more easily conduct attacks on the login. This is a partial confidentiality impact vulnerability (NVD metrics show MEDIUM severity, CVSS v2.0: A...

5CVSS7AI score0.01395EPSS
CVE
CVE
added 2002/07/31 4:0 a.m.51 views

CVE-2002-0807

CVE-2002-0807: Cross-site scripting in Bugzilla affects versions 2.14 before 2.14.2 and 2.16 before 2.16rc2. Root cause: the real name field is not properly quoted by editusers.cgi, allowing remote attackers to run script as other Bugzilla users. Impact: partial confidentiality/integrity/availabi...

7.5CVSS6.8AI score0.01303EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.51 views

CVE-2002-0809

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 mishandles URL-encoded field names generated by some browsers, causing certain fields to appear unset and resulting in removal of group permissions on bugs when buglist.cgi is used with the encoded field names. Affected components: Bugzilla bug ...

7.5CVSS6.6AI score0.01116EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.51 views

CVE-2002-1198

This CVE (CVE-2002-1198) affects Bugzilla 2.16.x prior to 2.16.1. The issue is an SQL injection vulnerability during account creation caused by improper filtering of apostrophes in the email address, enabling remote attackers to execute arbitrary SQL. Affected component: Bugzilla account creation...

7.5CVSS8.1AI score0.01088EPSS
CVE
CVE
added 2005/02/20 5:0 a.m.51 views

CVE-2004-1634

The CVE-2004-1634 entry concerns Bugzilla. Affected versions are Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, where the insidergroup feature and XML export of a bug can reveal private comments and attachment summaries. This exposes sensitive information to remote attackers. The underlying c...

5CVSS6.8AI score0.0121EPSS
CVE
CVE
added 2005/05/14 4:0 a.m.51 views

CVE-2005-1564

Bugzilla 2.10–2.18, 2.19.1, 2.19.2 contains a vulnerability in post_bug.cgi where a remote authenticated user can enter bugs into products that are closed for bug entry by altering the product name in the URL. The root cause is improper handling of product-name validation in the bug-entry flow, a...

7.5CVSS6.4AI score0.01563EPSS
CVE
CVE
added 2009/02/09 5:0 p.m.51 views

CVE-2009-0482

CVE-2009-0482 is a CSRF vulnerability in Bugzilla affecting versions before 3.2.1, before 3.2. for 3.2-era, and 3.3 before 3.3.2, enabling remote attackers to perform bug-updating actions as other users via a crafted link or IMG tag to process_bug.cgi. Public references in the connected documents...

5.8CVSS6.6AI score0.00504EPSS
CVE
CVE
added 2012/09/04 10:0 a.m.51 views

CVE-2012-4747

Bugzilla vulnerability CVE-2012-4747: Bugzilla 2.x and 3.x (up to 3.6.11), 3.7.x, 4.0.x before 4.0.8, 4.1.x, 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root due to insufficient access control. This allows remote attackers to read (1) template...

5CVSS6.3AI score0.01657EPSS
Web
CVE
CVE
added 2012/11/16 11:0 a.m.51 views

CVE-2012-5884

Technical details for CVE-2012-5884 are not provided in the supplied documents. Monitor for updates from vendors and security advisories.

5CVSS6.2AI score0.01167EPSS
CVE
CVE
added 2002/06/25 4:0 a.m.50 views

CVE-2002-0007

CVE-2002-0007 affects the Bugzilla CGI.pl component prior to 2.14.1 when used with LDAP. The vulnerability allows a remote attacker to trigger an anonymous LDAP bind by issuing a request that omits a password, causing a null password to be sent to the LDAP server. This is caused by the LDAP bindi...

10CVSS7.1AI score0.02371EPSS
CVE
CVE
added 2005/02/20 5:0 a.m.50 views

CVE-2004-1633

The CVE-2004-1633 issue affects Bugzilla 2.9 through 2.18rc2 and 2.19 from CVS, where process_bug.cgi does not enforce edit permissions on the keywords field. An authenticated remote user can modify a bug’s keywords via the keywordaction parameter. The connection documents confirm the vulnerable ...

5CVSS6.6AI score0.01164EPSS
CVE
CVE
added 2008/05/07 8:7 p.m.50 views

CVE-2008-2105

CVE-2008-2105 affects Bugzilla: vulnerable in Bugzilla 2.23.4 and 3.0.x before 3.0.4, and 3.1.x before 3.1.4. A remote authenticated user can abuse the @reporter command in the body of an email to spoof the bug changer, overriding the address from the From header. This bypasses normal From-header...

3.5CVSS6AI score0.00967EPSS
CVE
CVE
added 2012/02/02 6:0 p.m.50 views

CVE-2012-0448

Bugzilla vulnerability CVE-2012-0448: Bugzilla versions 2.x/3.x and 4.x exhibit improper rejection of non-ASCII characters in new-user email addresses, enabling potential account impersonation. The issue arises from insufficient validation of email fields, allowing visually similar addresses to b...

4CVSS6AI score0.01013EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.49 views

CVE-2001-1405

Bugzilla before 2.14 allows local users to cause a denial of service by flooding sanitycheck.cgi due to lack of access restriction. Affected component: sanitycheck.cgi in Bugzilla; root cause: insufficient access control. Impact: CPU consumption leading to partial availability loss. Exploit detai...

2.1CVSS6.6AI score0.0029EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.49 views

CVE-2003-1045

CVE-2003-1045 affects Bugzilla: votes.cgi in Bugzilla 2.16.3 and earlier, and 2.17.1–2.17.4. The vulnerability lets remote attackers read a user’s voting page if that user voted on a restricted bug, by modifying the who parameter to access potentially sensitive voting information. The underlying ...

5CVSS6.2AI score0.0121EPSS
CVE
CVE
added 2006/10/23 5:0 p.m.49 views

CVE-2006-5454

CVE-2006-5454 affects Bugzilla: versions 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3. The vulnerability allows remote attackers to (1) obtain the description of arbitrary attachments by viewing an attachment in diff mode (attachment.cgi), and (2) rea...

5CVSS6.5AI score0.01909EPSS
CVE
CVE
added 2005/05/14 4:0 a.m.48 views

CVE-2005-1565

CVE-2005-1565 affects Bugzilla versions 2.17.1–2.18 and 2.19.1–2.19.2. When a user is prompted to log in while viewing a chart, Bugzilla may display the password in the URL, potentially allowing local users to access sensitive information via web logs or browser history. The provided documents do...

5CVSS6.3AI score0.01217EPSS
CVE
CVE
added 2005/10/05 4:0 a.m.48 views

CVE-2005-3139

CVE-2005-3139 affects Bugzilla 2.19.1 through 2.20rc2 and 2.21. When user matching is enabled in substring mode, it can disclose usernames that match an arbitrary substring, even with useVisibilityGroups set. Root cause is substring-based user search bypassing visibility controls, leading to part...

5CVSS6.6AI score0.00975EPSS
CVE
CVE
added 2008/05/07 8:7 p.m.48 views

CVE-2008-2104

The CVE-2008-2104 entry concerns Bugzilla 3.1.3’s WebService: remote authenticated users lacking canconfirm privileges can create NEW or ASSIGNED bug entries via XML-RPC, bypassing the canconfirm check. The connected documents confirm the affected product/version and the bypass directly enabling ...

4CVSS6.3AI score0.0093EPSS
CVE
CVE
added 2002/07/31 4:0 a.m.47 views

CVE-2002-0803

The CVE-2002-0803 issue affects Bugzilla where versions 2.14 before 2.14.2 and 2.16 before 2.16rc2 allow remote attackers to disclose restricted products and components through a direct HTTP request to queryhelp.cgi. Root cause is improper access control on the queryhelp.cgi endpoint, enabling in...

5CVSS6.7AI score0.01352EPSS
CVE
CVE
added 2002/07/31 4:0 a.m.47 views

CVE-2002-0811

CVE-2002-0811 affects Bugzilla: versions 2.14 before 2.14.2 and 2.16 before 2.16rc2. The vulnerability allows remote attackers to cause a denial of service or execute certain queries via a SQL injection in the sort order parameter of buglist.cgi. Connected sources also link multiple related CVEs ...

7.5CVSS7.7AI score0.0173EPSS
CVE
CVE
added 2005/10/05 4:0 a.m.46 views

CVE-2005-3138

CVE-2005-3138 affects Bugzilla 2.18rc1–2.18.3, 2.19–2.20rc2, and 2.21. An unauthorized remote attacker can retrieve sensitive information (e.g., the list of installed products) through the config.cgi endpoint, which remains accessible even when the requirelogin parameter is set. The underlying is...

5CVSS6.2AI score0.01139EPSS
CVE
CVE
added 2006/05/16 10:0 a.m.46 views

CVE-2006-2420

CVE-2006-2420 affects Bugzilla 2.20rc1 through 2.20 and 2.21.1 when using RSS 1.0, enabling remote XSS via a title element containing HTML-encoded sequences (e.g., ">") that are decoded by some RSS readers. The issue is described as stemming from RSS design/documentation inconsistencies or RSS...

4.3CVSS5.6AI score0.01537EPSS
CVE
CVE
added 2002/01/10 5:0 a.m.45 views

CVE-2002-0008

CVE-2002-0008 affects Bugzilla prior to 2.14.1. The vulnerability allows remote attackers to impersonate users: (1) spoof a user comment by sending a request to process_bug.cgi using the who parameter instead of the Bugzilla_login cookie, and (2) post a bug as another user by altering the reporte...

7.5CVSS7.1AI score0.01855EPSS
CVE
CVE
added 2002/01/10 5:0 a.m.45 views

CVE-2002-0010

Bugzilla prior to 2.14.1 contains multiple input handling flaws that enable remote SQL injection and file creation, potentially elevating privileges. Specifically, via: (1) sql parameter in buglist.cgi, (2) invalid field names in the boolean chart query in buglist.cgi, (3) mybugslink parameter in...

7.5CVSS7.9AI score0.02281EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.45 views

CVE-2002-0806

Bugzilla 2.14 prior to 2.14.2 and 2.16 prior to 2.16rc2 is vulnerable: authenticated users with editing privileges can delete other users by calling editusers.cgi with the "del" option. Affected versions include Bugzilla 2.14.x before 2.14.2 and 2.16.x before 2.16rc2. The issue, as described in t...

2.1CVSS6.4AI score0.00309EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.45 views

CVE-2003-1042

CVE-2003-1042 affects Bugzilla up to version 2.16.3. A SQL injection in the script collectstats.pl allows remote authenticated users with editproducts privileges to execute arbitrary SQL via the product name, potentially compromising confidentiality, integrity, and availability. The provided docu...

10CVSS7.8AI score0.02572EPSS
CVE
CVE
added 2006/02/28 11:0 a.m.45 views

CVE-2006-0916

Bugzilla 2.19.3 through 2.20 contains a URL handling flaw during login redirects: sequences like // can cause a form action to be built with a URL to a different domain, potentially exposing form data to an unintended site. This is documented in multiple connected sources (e.g., PRION entry and N...

7.5CVSS6AI score0.01175EPSS
CVE
CVE
added 2012/01/02 7:0 p.m.44 views

CVE-2011-3668

The CVE-2011-3668 entry describes a cross-site request forgery (CSRF) in Bugzilla’s post_bug.cgi function affecting Bugzilla 2.x, 3.x, and 4.x prior to 4.2rc1. Exploitation would allow remote attackers to hijack the authentication of arbitrary users to perform actions that create bug reports. The...

6.8CVSS7.1AI score0.00945EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.43 views

CVE-2001-1403

This CVE (CVE-2001-1403) affects Bugzilla prior to version 2.14, where username and password were included in URLs. The underlying issue is credentials exposed in URLs, which could enable attackers to gain privileges by reading web server access logs or by shoulder-surfing and observing the brows...

7.5CVSS7.2AI score0.01126EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.43 views

CVE-2002-1197

CVE-2002-1197 affects Bugzilla versions 2.14.x before 2.14.4 and 2.16.x before 2.16.1. A flaw in bugzilla_email_append.pl allows remote attackers to execute arbitrary code by injecting shell metacharacters into a system call to processmail. The vulnerability is introduced in the email processing ...

7.5CVSS7.7AI score0.02343EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.42 views

CVE-2003-1044

CVE-2003-1044 affects Bugzilla 2.16.3 and earlier where, when usebuggroups is enabled, deleting a group fails to remove its group add privileges. This allows users with those privileges to perform unauthorized additions to the next group assigned the original group ID. The root cause is improper ...

7.5CVSS6.5AI score0.01156EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.41 views

CVE-2001-1404

CVE-2001-1404 describes a vulnerability in Bugzilla prior to version 2.14 where passwords were stored in plaintext and password requests could be sent via email. The underlying issue is insecure password handling, enabling privilege escalation if an attacker could access or intercept credentials....

7.5CVSS7.4AI score0.01126EPSS
Total number of security vulnerabilities145