Lucene search
+L
MozillaBugzilla

35 matches found

CVE
CVE
added 2015/09/14 1:0 a.m.80 views

CVE-2015-4499

CVE-2015-4499 affects Bugzilla across multiple branches (Bugzilla 2.x/3.x/4.x pre-4.2.15, pre-4.4.10 for 4.x line, and 5.x pre-5.0.1). The flaw mishandles long e-mail addresses during account creation, truncating login names longer than 127 characters (notably an @mozilla.com.example.com address ...

7.5CVSS4.7AI score0.03371EPSS
CVE
CVE
added 2011/01/28 3:0 p.m.72 views

CVE-2010-4568

CVE-2010-4568 affects Bugzilla 2.14–2.22.7; 3.0.x–3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2, where cookies/tokens were generated with an insufficient number of srand calls, allowing remote attackers to gain access to arbitrary Bugzilla accounts via unsp...

7.5CVSS6.7AI score0.02531EPSS
CVE
CVE
added 2009/09/15 10:0 p.m.70 views

CVE-2009-3165

CVE-2009-3165 is a SQL injection vulnerability affecting Bugzilla 2.23.4–3.0.8, 3.1.1–3.2.4, and 3.3.1–3.4.1 via Bug.create WebService parameters, enabling remote arbitrary SQL execution. Connected advisories confirm impact and remediation guidance, notably Gentoo GLSA 2010-06-19 recommending upg...

7.5CVSS8AI score0.01393EPSS
CVE
CVE
added 2005/12/28 2:0 a.m.69 views

CVE-2005-4534

CVE-2005-4534 affects Bugzilla versions 2.9–2.16.10 via the shadow database (syncshadowdb). A local user can exploit insecure temporary file handling to perform a symlink attack and overwrite files Bugzilla can access, potentially leading to denial of service. The advisory notes that newer versio...

7.5CVSS6.1AI score0.01527EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.67 views

CVE-2003-0013

CVE-2003-0013 concerns Bugzilla’s default .htaccess behavior. The bug is that backups of localconfig created by editors (e.g., vi, Emacs; often .swp or ~ files) were not blocked by the default .htaccess, potentially allowing remote attackers to download a backup and obtain the database password. ...

7.5CVSS6.5AI score0.02083EPSS
CVE
CVE
added 2008/10/03 10:0 p.m.66 views

CVE-2008-4437

CVE-2008-4437 describes a directory traversal vulnerability in Bugzilla’s importxml.pl when --attach_path is enabled. It affects Bugzilla versions before 2.22.5 and 3.x before 3.0.5, allowing a remote attacker to read arbitrary files by placing a .. in the data element of an XML file. The issue’s...

7.1CVSS6.3AI score0.05642EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.63 views

CVE-2002-0804

Bugzilla 2.14 (before 2.14.2) and 2.16 (before 2.16rc2) are vulnerable when configured to perform reverse DNS lookups. Remote attackers can bypass IP-based access restrictions by connecting from a host with a spoofed reverse DNS hostname. The provided materials do not specify a patch or workaround.

7.5CVSS6.8AI score0.01396EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.62 views

CVE-2001-1402

Bugzilla before 2.14 does not properly escape untrusted parameters, enabling cross-site scripting (XSS) and potentially SQL injection via multiple input points. Affected areas include reports.cgi (product/output form variables), showvotes.cgi (voteon, bug_id, user), createaccount.cgi (email), sho...

7.5CVSS7.6AI score0.01917EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.62 views

CVE-2003-1046

The CVE-2003-1046 entry concerns Bugzilla versions 2.17.3 and 2.17.4. Describecomponents.cgi fails to properly verify group membership when bug entry groups are used, allowing remote attackers to list component descriptions for products that should be restricted. The core issue is an insufficient...

7.5CVSS6.7AI score0.0135EPSS
CVE
CVE
added 2009/09/15 10:0 p.m.62 views

CVE-2009-3125

CVE-2009-3125 : Bugzilla 3.3.2–3.4.1 and 3.5 are affected by an SQL injection in the Bug.search WebService, allowing remote attackers to execute arbitrary SQL via unspecified parameters. The issue is within Bugzilla’s web service layer and is tied to untrusted input used in SQL queries. Several c...

7.5CVSS8AI score0.01393EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.61 views

CVE-2001-1407

Bugzilla before 2.14 is vulnerable: users can bypass group security by marking a bug as a duplicate of a restricted bug, which adds the user to the restricted bug’s CC list and lets them view it. Affected: Bugzilla ≤ 2.13 (pre-2.14). Root cause: bypass of group security checks via duplicate marki...

7.5CVSS7AI score0.01163EPSS
CVE
CVE
added 2004/07/21 4:0 a.m.60 views

CVE-2004-0707

CVE-2004-0707 describes an SQL injection in Bugzilla’s editusers.cgi. The issue affects Bugzilla 2.16.x before 2.16.6 and 2.18 before 2.18rc1, allowing remote attackers with privileges to grant membership to any group to execute arbitrary SQL. The connected information confirms the vulnerable com...

7.5CVSS8.2AI score0.01025EPSS
CVE
CVE
added 2000/07/12 4:0 a.m.59 views

CVE-2000-0421

The CVE-2000-0421 entry corresponds to a vulnerability in Bugzilla where the process_bug.cgi script fails to sanitize user-supplied data, enabling remote arbitrary command execution. Technical documentation from connected sources confirms this flaw affects Bugzilla’s remote command execution via ...

7.5CVSS7.6AI score0.01741EPSS
CVE
CVE
added 2001/05/24 4:0 a.m.59 views

CVE-2001-0329

Bugzilla 2.10 is vulnerable to remote arbitrary command execution via shell metacharacters in a username, processed by (1) the Bugzilla_login cookie in post_bug.cgi or (2) the who parameter in process_bug.cgi. The root cause is lack of input sanitization in the CGI workflow, enabling an attacker ...

7.5CVSS7.6AI score0.03132EPSS
CVE
CVE
added 2009/02/09 5:0 p.m.59 views

CVE-2009-0486

CVE-2009-0486 (Bugzilla) affects Bugzilla 3.2.1, 3.0.7, and 3.3.2 when run under mod_perl, where startup srand seeds produce identical pseudorandom numbers for tokens, allowing remote attackers to bypass CSRF protections and perform actions as other users. The vulnerability is documented with a b...

7.5CVSS6.7AI score0.00571EPSS
CVE
CVE
added 2007/02/06 7:0 p.m.58 views

CVE-2007-0792

The CVE-2007-0792 entry describes a vulnerability in Bugzilla 2.23.3 where the mod_perl initialization script fails to set the Bugzilla Apache configuration to permit .htaccess overrides of file permissions. This allows remote attackers to directly request the localconfig file and obtain the data...

7.5CVSS6.6AI score0.01322EPSS
CVE
CVE
added 2004/07/21 4:0 a.m.57 views

CVE-2004-0703

CVE-2004-0703 describes a privilege-escalation issue in Bugzilla’s administrative controls. Versions 2.17.1–2.17.7 allow users with grant membership privileges to grant memberships to groups the user does not control, enabling broader access within the Bugzilla installation. The vulnerability is ...

7.5CVSS6.5AI score0.01118EPSS
CVE
CVE
added 2007/09/24 12:0 a.m.57 views

CVE-2007-5038

CVE-2007-5038 affects Bugzilla WebService: offer_account_by_email in User.pm does not validate the createemailregexp parameter, permitting remote creation of accounts that would be denied by the email regexp. Affected versions are Bugzilla before 3.0.2 and 3.1.x before 3.1.2. Exploitation would b...

7.5CVSS6.5AI score0.01955EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.56 views

CVE-2001-1401

Bugzilla before 2.14 contains an access-control flaw where confidential bugs can be viewed by manipulating bug id parameters in multiple scripts (process_bug.cgi, show_activity.cgi, showvotes.cgi, showdependencytree.cgi, showdependencygraph.cgi, showattachment.cgi, describecomponents.cgi). The un...

7.5CVSS7AI score0.01672EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.56 views

CVE-2002-0808

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 suffers a mass-change bug that resets the groupset of all bugs to the groupset of the first bug, potentially yielding insecure groupset permissions on some bugs. Affected components: Bugzilla mass-update logic affecting bug groupsets. Root cause...

7.5CVSS6.6AI score0.01116EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.56 views

CVE-2002-1196

CVE-2002-1196 affects Bugzilla: when using the “usebuggroups” feature and more than 47 groups are specified, editproducts.cgi in Bugzilla 2.14.x (before 2.14.4) and 2.16.x (before 2.16.1) does not correctly calculate bit values for large numbers, allowing extra permissions to be granted via Perl ...

7.5CVSS6.5AI score0.01589EPSS
CVE
CVE
added 2001/09/18 4:0 a.m.55 views

CVE-2001-0330

Bugzilla 2.10 contains a vulnerability where a remote attacker can access the database username and password by requesting the globals.pl file, which is served as plain text by the web server. The issue arises from exposing sensitive configuration data in a Perl CGI file. A fix is available in Bu...

7.5CVSS6.8AI score0.02058EPSS
CVE
CVE
added 2006/02/28 11:0 a.m.55 views

CVE-2006-0915

CVE-2006-0915 concerns Bugzilla 2.16.10, where the application does not properly handle certain characters in the attachments parameters (maxpatchsize and maxattachmentsize) in attachment.cgi. This improper input handling can cause a remote SQL error, per the NVD description. The connected docume...

7.5CVSS6.9AI score0.0116EPSS
CVE
CVE
added 2002/07/31 4:0 a.m.53 views

CVE-2002-0807

CVE-2002-0807: Cross-site scripting in Bugzilla affects versions 2.14 before 2.14.2 and 2.16 before 2.16rc2. Root cause: the real name field is not properly quoted by editusers.cgi, allowing remote attackers to run script as other Bugzilla users. Impact: partial confidentiality/integrity/availabi...

7.5CVSS6.8AI score0.01303EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.53 views

CVE-2002-0809

Bugzilla 2.14 before 2.14.2 and 2.16 before 2.16rc2 mishandles URL-encoded field names generated by some browsers, causing certain fields to appear unset and resulting in removal of group permissions on bugs when buglist.cgi is used with the encoded field names. Affected components: Bugzilla bug ...

7.5CVSS6.6AI score0.01116EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.53 views

CVE-2002-1198

This CVE (CVE-2002-1198) affects Bugzilla 2.16.x prior to 2.16.1. The issue is an SQL injection vulnerability during account creation caused by improper filtering of apostrophes in the email address, enabling remote attackers to execute arbitrary SQL. Affected component: Bugzilla account creation...

7.5CVSS8.1AI score0.01088EPSS
CVE
CVE
added 2005/05/14 4:0 a.m.53 views

CVE-2005-1564

Bugzilla 2.10–2.18, 2.19.1, 2.19.2 contains a vulnerability in post_bug.cgi where a remote authenticated user can enter bugs into products that are closed for bug entry by altering the product name in the URL. The root cause is improper handling of product-name validation in the bug-entry flow, a...

7.5CVSS6.4AI score0.01563EPSS
CVE
CVE
added 2002/07/31 4:0 a.m.49 views

CVE-2002-0811

CVE-2002-0811 affects Bugzilla: versions 2.14 before 2.14.2 and 2.16 before 2.16rc2. The vulnerability allows remote attackers to cause a denial of service or execute certain queries via a SQL injection in the sort order parameter of buglist.cgi. Connected sources also link multiple related CVEs ...

7.5CVSS7.7AI score0.0173EPSS
CVE
CVE
added 2002/01/10 5:0 a.m.48 views

CVE-2002-0008

CVE-2002-0008 affects Bugzilla prior to 2.14.1. The vulnerability allows remote attackers to impersonate users: (1) spoof a user comment by sending a request to process_bug.cgi using the who parameter instead of the Bugzilla_login cookie, and (2) post a bug as another user by altering the reporte...

7.5CVSS7.1AI score0.01855EPSS
CVE
CVE
added 2006/02/28 11:0 a.m.48 views

CVE-2006-0916

Bugzilla 2.19.3 through 2.20 contains a URL handling flaw during login redirects: sequences like // can cause a form action to be built with a URL to a different domain, potentially exposing form data to an unintended site. This is documented in multiple connected sources (e.g., PRION entry and N...

7.5CVSS6AI score0.01175EPSS
CVE
CVE
added 2002/01/10 5:0 a.m.47 views

CVE-2002-0010

Bugzilla prior to 2.14.1 contains multiple input handling flaws that enable remote SQL injection and file creation, potentially elevating privileges. Specifically, via: (1) sql parameter in buglist.cgi, (2) invalid field names in the boolean chart query in buglist.cgi, (3) mybugslink parameter in...

7.5CVSS7.9AI score0.02281EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.45 views

CVE-2002-1197

CVE-2002-1197 affects Bugzilla versions 2.14.x before 2.14.4 and 2.16.x before 2.16.1. A flaw in bugzilla_email_append.pl allows remote attackers to execute arbitrary code by injecting shell metacharacters into a system call to processmail. The vulnerability is introduced in the email processing ...

7.5CVSS7.7AI score0.02343EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.44 views

CVE-2001-1403

This CVE (CVE-2001-1403) affects Bugzilla prior to version 2.14, where username and password were included in URLs. The underlying issue is credentials exposed in URLs, which could enable attackers to gain privileges by reading web server access logs or by shoulder-surfing and observing the brows...

7.5CVSS7.2AI score0.01126EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.43 views

CVE-2001-1404

CVE-2001-1404 describes a vulnerability in Bugzilla prior to version 2.14 where passwords were stored in plaintext and password requests could be sent via email. The underlying issue is insecure password handling, enabling privilege escalation if an attacker could access or intercept credentials....

7.5CVSS7.4AI score0.01126EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.43 views

CVE-2003-1044

CVE-2003-1044 affects Bugzilla 2.16.3 and earlier where, when usebuggroups is enabled, deleting a group fails to remove its group add privileges. This allows users with those privileges to perform unauthorized additions to the next group assigned the original group ID. The root cause is improper ...

7.5CVSS6.5AI score0.01156EPSS