Bugzilla Security Vulnerabilities and Issues — Bugzilla CVE List

Lucene search

MozillaBugzilla

11 matches found

CVE•added 2004/09/01 4:0 a.m.•68 views

CVE-2003-0012

The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data.

2.1CVSS6.1AI score0.00059EPSS

CVE•added 2010/11/05 5:0 p.m.•61 views

CVE-2010-3172

CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL.

2.6CVSS6.5AI score0.00733EPSS

CVE•added 2011/08/09 7:55 p.m.•56 views

CVE-2011-2977

Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3.6...

2.1CVSS5.5AI score0.00067EPSS

CVE•added 2003/04/02 5:0 a.m.•47 views

CVE-2001-1406

process_bug.cgi in Bugzilla before 2.14 does not set the "groupset" bit when a bug is moved between product groups, which will cause the bug to have the old group's restrictions, which might not be as stringent.

2.1CVSS6.8AI score0.00115EPSS

CVE•added 2005/07/08 4:0 a.m.•47 views

CVE-2005-2174

Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 inserts a bug into the database before it is marked private, which introduces a race condition and allows attackers to access information about the bug via buglist.cgi before MySQL replication is complete.

2.6CVSS5.9AI score0.00395EPSS

CVE•added 2011/08/09 7:55 p.m.•46 views

CVE-2008-7292

Bugzilla 2.20.x before 2.20.5, 2.22.x before 2.22.3, and 3.0.x before 3.0.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files, a different vulnerability than CVE-2011-2977.

2.1CVSS5.6AI score0.00067EPSS

CVE•added 2006/10/23 5:7 p.m.•40 views

CVE-2006-5455

Cross-site request forgery (CSRF) vulnerability in editversions.cgi in Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL.

2.6CVSS6.7AI score0.00914EPSS

CVE•added 2003/08/27 4:0 a.m.•39 views

CVE-2003-0603

Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions.

2.1CVSS6.4AI score0.00092EPSS

CVE•added 2002/08/31 4:0 a.m.•37 views

CVE-2001-1405

Bugzilla before 2.14 does not restrict access to sanitycheck.cgi, which allows local users to cause a denial of service (CPU consumption) via a flood of requests to sanitycheck.cgi.

2.1CVSS6.6AI score0.00063EPSS

CVE•added 2004/07/27 4:0 a.m.•37 views

CVE-2004-0706

Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files.

2.1CVSS6.5AI score0.00071EPSS

CVE•added 2003/04/02 5:0 a.m.•35 views

CVE-2002-0806

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option.

2.1CVSS6.4AI score0.00131EPSS