Lucene search
+L
MozillaBugzilla

38 matches found

CVE
CVE
added 2012/11/16 11:0 a.m.192 views

CVE-2012-5883

CVE-2012-5883 is a cross-site scripting (XSS) vulnerability in the Flash component infrastructure of YUI (versions 2.8.0–2.9.0) used by Bugzilla 3.7.x/4.0.x (before 4.0.9), 4.1.x/4.2.x (before 4.2.4), and 4.3.x/4.4.x (before 4.4rc1). The issue allows remote attackers to inject arbitrary script/HT...

4.3CVSS7AI score0.02105EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.93 views

CVE-2010-4567

CVE-2010-4567 affects Bugzilla: whitespace before javascript: or data: in the URL field allows XSS. Affected versions per description: Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2. Public notices across multiple advisories confirm the issue and provide ...

4.3CVSS5.6AI score0.01785EPSS
CVE
CVE
added 2011/08/09 7:0 p.m.82 views

CVE-2011-2379

CVE-2011-2379 is a cross-site scripting issue in Bugzilla related to viewing patches in Raw Unified mode . The vulnerability arises because an alternate host used for attachments when viewing them in raw format is also used for patches, and it is exploited when users use Internet Explorer < 9 ...

4.3CVSS5.4AI score0.01669EPSS
CVE
CVE
added 2013/10/24 10:0 a.m.78 views

CVE-2013-1743

CVE-2013-1743 is a cross-site scripting (XSS) vulnerability in Bugzilla’s report.cgi used to build tabular reports. It allows remote attackers to inject arbitrary script/HTML via a field value (e.g., the sum mary or real name) during report construction, due to an incomplete fix for CVE-2012-4189...

4.3CVSS5.6AI score0.02824EPSS
CVE
CVE
added 2012/11/16 11:0 a.m.77 views

CVE-2012-4189

CVE-2012-4189 is a cross-site scripting (XSS) vulnerability in Bugzilla where an attacker can inject arbitrary script/HTML via a field value (notably the Version field) when constructing a tabular report. Affected are Bugzilla 4.1.x and 4.2.x before 4.2.4; and 4.3.x and 4.4.x before 4.4rc1. The u...

4.3CVSS5.4AI score0.01038EPSS
Web
CVE
CVE
added 2013/10/24 10:0 a.m.76 views

CVE-2013-1742

The CVE-2013-1742 issue affects Bugzilla’s editflagtypes.cgi across multiple releases. Vulnerable versions include Bugzilla 2.x, 3.x, and 4.0.x prior to 4.0.11; 4.1.x and 4.2.x prior to 4.2.7; and 4.3.x and 4.4.x prior to 4.4.1. The root cause is improper validation of parameters (id, sortkey), e...

4.3CVSS5.5AI score0.02405EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.75 views

CVE-2010-4572

CVE-2010-4572 is a CRLF/header injection vulnerability in Bugzilla that can be triggered via the query string to inject HTTP headers and enable HTTP response splitting. Debian’s security advisory DSA-2322-1 explicitly lists this CVE among vulnerabilities in Bugzilla and notes that the issue was f...

4.3CVSS8.9AI score0.018EPSS
CVE
CVE
added 2004/12/31 5:0 a.m.74 views

CVE-2004-1061

CVE-2004-1061 is an XSS vulnerability in Bugzilla prior to 2.18 (and in 2.16.x prior to 2.16.11). An attacker could inject arbitrary HTML/script via forced error messages, using the action parameter. Affected versions include Bugzilla < 2.18.0 and 2.16.x

4.3CVSS5.7AI score0.01034EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.74 views

CVE-2010-4569

CVE-2010-4569 is an XSS vulnerability in Bugzilla affecting versions 3.7.1, 3.7.2, 3.7.3, and 4.0rc1. The issue arises in Bugzilla’s user account real name field, related to the YUI AutoComplete widget, allowing remote attackers to inject arbitrary script/HTML. The connected records confirm the B...

4.3CVSS5.5AI score0.01724EPSS
CVE
CVE
added 2012/04/27 8:0 p.m.73 views

CVE-2012-0466

CVE-2012-0466 affects Bugzilla 2.x/3.x prior to 3.6.9, 3.7.x, and 4.0.x prior to 4.0.6, as well as 4.1.x and 4.2.x prior to 4.2.1. The flaw is in template/en/default/list/list.js.tmpl that does not properly handle multiple logins, enabling remote attackers to perform cross-site scripting (XSS) an...

4CVSS5.3AI score0.00852EPSS
CVE
CVE
added 2016/01/03 2:0 a.m.73 views

CVE-2015-8509

CVE-2015-8509 affects Bugzilla templates (Template.pm) across Bugzilla 2.x, 3.x, 4.x up to 4.2.16/4.3.x and 4.4.x up to 4.4.11, and 4.5.x–5.0.x up to 5.0.2. The issue stems from improper CSV construction that, when a CSV is interpreted as JavaScript by a browser, may leak sensitive information. T...

4.3CVSS4.1AI score0.01906EPSS
CVE
CVE
added 2007/08/27 9:0 p.m.71 views

CVE-2007-4543

CVE-2007-4543 is a cross-site scripting (XSS) vulnerability in Bugzilla. According to the provided sources, it affects the bug filing form in Bugzilla’s guided form via the buildid parameter. A remote attacker could inject arbitrary script/HTML, enabling credential theft or session compromise. Af...

4.3CVSS5.5AI score0.01364EPSS
CVE
CVE
added 2010/02/03 7:0 p.m.70 views

CVE-2009-3989

CVE-2009-3989 affects Bugzilla prior to fixed versions: 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3. The issue allows remote attackers to obtain sensitive information by requesting directories used for custom installations (e.g., CVS/, contrib/, docs/en/xml/, t/, old-pa...

4.3CVSS6.1AI score0.01531EPSS
CVE
CVE
added 2011/08/09 7:0 p.m.70 views

CVE-2011-2381

Summary: CVE-2011-2381 is a CRLF injection vulnerability in Bugzilla that allows remote attackers to inject arbitrary email headers via an attachment description in a flagmail notification. The initial description lists affected versions: Bugzilla 2.17.1–2.22.7, 3.0.x–3.3.x, 3.4.x before 3.4.12, ...

4.3CVSS6.7AI score0.01518EPSS
CVE
CVE
added 2016/01/03 2:0 a.m.70 views

CVE-2015-8508

CVE-2015-8508 is a cross-site scripting (XSS) vulnerability in Bugzilla’s showdependencygraph.cgi. The attacker can inject arbitrary script/HTML via a crafted bug summary when a local dot configuration is used. Affected products/versions include Bugzilla 2.x, 3.x, and 4.x before 4.2.16; 4.3.x and...

4.7CVSS4.6AI score0.01476EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.69 views

CVE-2011-0048

CVE-2011-0048 affects Bugzilla: the URL field (bug_file_loc) can contain javascript: or data: URIs. The issue allows cross-site scripting against logged-out users when the URI is crafted in certain Bugzilla versions (3.2.x up to 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, 4.0.x before 4.0rc2...

4.3CVSS5.5AI score0.01785EPSS
CVE
CVE
added 2013/02/24 11:0 a.m.69 views

CVE-2013-0785

CVE-2013-0785 : A cross-site scripting (XSS) vulnerability exists in Bugzilla’s show_bug.cgi whereby an attacker can inject arbitrary script/HTML via the id parameter when used with an invalid format parameter. Affected Bugzilla branches include 3.6.x, 3.7.x, 4.0.x before 4.0.10, 4.1.x, 4.2.x bef...

4.3CVSS5.6AI score0.01433EPSS
CVE
CVE
added 2014/10/13 1:0 a.m.69 views

CVE-2014-1571

Bugzilla is affected in multiple lines: vulnerable components are Bugzilla versions 2.x–4.0.x (pre-4.0.15), 4.1.x, 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6. The flaw allows remote authenticated users to obtain sensitive private-comment information by abusing a rol...

4CVSS5.6AI score0.01353EPSS
CVE
CVE
added 2014/08/14 10:0 a.m.67 views

CVE-2014-1546

The CVE-2014-1546 issue affects Bugzilla’s JSONP endpoint (jsonrpc.cgi) in Bugzilla 3.x and 4.x prior to the listed fixed versions (before 4.0.14, 4.2.10 for 4.2.x, 4.4.5 for 4.3/4.4.x, and 4.5.5 for 4.5.x). The vulnerability stems from the JSONP response function in Bugzilla’s JSONRPC.pm, which ...

4.3CVSS6.4AI score0.00542EPSS
Web
CVE
CVE
added 2012/11/16 11:0 a.m.63 views

CVE-2012-4198

The CVE-2012-4198 issue affects Bugzilla’s WebService User.get method in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4rc1. Root cause: different outcomes for a groups request depending on whether a group exists, enabling remote authenticated users...

4CVSS6.1AI score0.00874EPSS
CVE
CVE
added 2011/08/09 7:0 p.m.62 views

CVE-2011-2976

Bugzilla (Bugzilla) XSS vulnerability CVE-2011-2976 affects Bugzilla 2.16rc1–2.22.7, 3.0.x–3.3.x, and 3.4.x before 3.4.12. The issue allows remote attackers to inject arbitrary web script or HTML via vectors involving the BUGLIST cookie. No remediation details are provided in the connected docume...

4.3CVSS5.5AI score0.01446EPSS
CVE
CVE
added 2012/07/28 6:0 p.m.62 views

CVE-2012-1968

Bugzilla HTML bugmails vulnerability (CVE-2012-1968): versions 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 serialize bug/attachment IDs with tooltips, but permission checks use the editor’s rights instead of the addressee’s. This can disclose confidential information via tooltips in HTML ...

4.3CVSS6.1AI score0.01457EPSS
CVE
CVE
added 2014/10/13 1:0 a.m.61 views

CVE-2014-1573

CVE-2014-1573 affects Bugzilla before fixes: 2.x–4.0.x before 4.0.15; 4.1.x and 4.2.x before 4.2.11; 4.3.x and 4.4.x before 4.4.6; and 4.5.x before 4.5.6. The issue arises from not ensuring scalar context for certain CGI parameters, enabling remote XSS via a single parameter name receiving three ...

4.3CVSS5.6AI score0.02326EPSS
CVE
CVE
added 2007/02/06 7:0 p.m.60 views

CVE-2007-0791

CVE-2007-0791 is a cross-site scripting (XSS) vulnerability in Bugzilla’s Atom feeds affecting Bugzilla versions 2.20.3, 2.22.1, 2.23.3, and older releases back to 2.20.1. The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors within Atom feeds. The conne...

4.3CVSS5.7AI score0.01188EPSS
CVE
CVE
added 2012/04/27 8:0 p.m.60 views

CVE-2012-0465

CVE-2012-0465 affects Bugzilla versions 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1. Root cause: improper validation of the X-Forwarded-For header when inbound_proxies is enabled, allowing bypass of the lockout policy via repeated authentication re...

4.3CVSS6.7AI score0.01234EPSS
CVE
CVE
added 2007/10/18 10:0 a.m.59 views

CVE-2002-2260

Vulnerability context (CVE-2002-2260) : Mozilla Bugzilla's quips feature is affected in versions 2.10–2.17, where an XSS vulnerability exists that lets remote attackers inject arbitrary script/HTML via the “show all quips” page. Several connected sources (including Debian’s DSA-218-1 and OpenVAS ...

4.3CVSS5.6AI score0.0109EPSS
CVE
CVE
added 2014/04/20 1:0 a.m.59 views

CVE-2014-1517

CVE-2014-1517 corresponds to a login CSRF flaw in Bugzilla 2.x/3.x/4.x before 4.4.3 and 4.5.x before 4.5.3. Multiple security advisories (Mageia MGASA-2014-0200, OpenVAS entries, Fedora updates) indicate a fix was released in Bugzilla packages; apply the vendor patch/update to the affected system...

4CVSS5.6AI score0.01314EPSS
CVE
CVE
added 2009/02/09 6:0 p.m.58 views

CVE-2008-6098

CVE-2008-6098 affects Bugzilla variants (e.g., Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and related versions). The vulnerability lets remote authenticated users bypass moderation to approve/disapprove quips via a direct request to quips.cgi with actio...

4CVSS6.1AI score0.01146EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.57 views

CVE-2002-0805

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 contain two issues: (1) creation of new directories with world-writable permissions, and (2) creation of the params file with world-writable permissions. These flaws allow local users to modify the files and execute code. The provided sources co...

4.6CVSS6.5AI score0.00328EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.57 views

CVE-2010-4570

CVE-2010-4570 is an XSS vulnerability in Bugzilla’s duplicate-detection feature (Bugzilla 3.7.1/3.7.2/3.7.3/4.0rc1) where the summary field can be exploited via the DataTable widget in YUI to inject arbitrary script/HTML. Connected documents confirm the CVE is referenced among Bugzilla-related ad...

4.3CVSS5.6AI score0.01739EPSS
CVE
CVE
added 2012/01/02 7:0 p.m.57 views

CVE-2011-3657

CVE-2011-3657 describes multiple XSS vulnerabilities in Bugzilla when debug mode is enabled. Affected products include Bugzilla 2.x and 3.x (up to 3.4.12/3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3). The flaws allow remote attackers to inject arbitr...

4.3CVSS5.5AI score0.01567EPSS
CVE
CVE
added 2012/07/28 6:0 p.m.57 views

CVE-2012-1969

CVE-2012-1969 affects Bugzilla in multiple branches: get_attachment_link in Template.pm does not verify whether an attachment is private before showing its description in public comments, allowing read access to description text. Affected versions include Bugzilla 2.x and 3.x prior to 3.6.10, 3.7...

4.3CVSS5.9AI score0.01553EPSS
CVE
CVE
added 2010/08/13 7:0 p.m.56 views

CVE-2010-2759

The CVE-2010-2759 entry applies to Bugzilla 2.23.1–3.2.7, 3.3.1–3.4.7, 3.5.1–3.6.1, and 3.7–3.7.2 when used with PostgreSQL. It describes a vulnerability where large integers in (1) bug and (2) attachment phrases are not handled correctly, allowing remote authenticated users to cause a denial of ...

4CVSS6AI score0.01828EPSS
CVE
CVE
added 2008/05/07 8:7 p.m.55 views

CVE-2008-2103

CVE-2008-2103 describes a cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later, allowing remote attackers to inject arbitrary script/HTML via the id parameter in the Format for Printing and Long Format bug views. Connected sources confirm vendor advisories and OpenVAS/Nessus entr...

4.3CVSS5.5AI score0.01349EPSS
CVE
CVE
added 2012/11/16 11:0 a.m.55 views

CVE-2012-4199

CVE-2012-4199 concerns Bugzilla’s template file template/en/default/bug/field-events.js.tmpl, where JavaScript function calls can reveal private product or component names due to custom-field visibility controls. The issue affects Bugzilla 3.x up to 3.6.12, Bugzilla 3.7.x up to 4.0.9, Bugzilla 4....

4.3CVSS5.9AI score0.00962EPSS
CVE
CVE
added 2012/02/02 6:0 p.m.51 views

CVE-2012-0448

Bugzilla vulnerability CVE-2012-0448: Bugzilla versions 2.x/3.x and 4.x exhibit improper rejection of non-ASCII characters in new-user email addresses, enabling potential account impersonation. The issue arises from insufficient validation of email fields, allowing visually similar addresses to b...

4CVSS6AI score0.01013EPSS
CVE
CVE
added 2008/05/07 8:7 p.m.49 views

CVE-2008-2104

The CVE-2008-2104 entry concerns Bugzilla 3.1.3’s WebService: remote authenticated users lacking canconfirm privileges can create NEW or ASSIGNED bug entries via XML-RPC, bypassing the canconfirm check. The connected documents confirm the affected product/version and the bypass directly enabling ...

4CVSS6.3AI score0.0093EPSS
CVE
CVE
added 2006/05/16 10:0 a.m.48 views

CVE-2006-2420

CVE-2006-2420 affects Bugzilla 2.20rc1 through 2.20 and 2.21.1 when using RSS 1.0, enabling remote XSS via a title element containing HTML-encoded sequences (e.g., ">") that are decoded by some RSS readers. The issue is described as stemming from RSS design/documentation inconsistencies or RSS...

4.3CVSS5.6AI score0.01537EPSS