Bugzilla Security Vulnerabilities and Issues — Bugzilla CVE List

Lucene search

MozillaBugzilla

11 matches found

CVE•added 2005/01/04 5:0 a.m.•55 views

CVE-2004-1061

Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter.

4.3CVSS5.7AI score0.00572EPSS

CVE•added 2005/12/28 2:3 a.m.•52 views

CVE-2005-4534

The shadow database feature (syncshadowdb) in Bugzilla 2.9 through 2.16.10 allows local users to overwrite arbitrary files via a symlink attack on temporary files.

7.5CVSS6.1AI score0.0154EPSS

CVE•added 2005/07/08 4:0 a.m.•47 views

CVE-2005-2174

Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 inserts a bug into the database before it is marked private, which introduces a race condition and allows attackers to access information about the bug via buglist.cgi before MySQL replication is complete.

2.6CVSS5.9AI score0.00395EPSS

CVE•added 2005/05/14 4:0 a.m.•45 views

CVE-2005-1563

Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different error message depending on whether a product exists or not, which allows remote attackers to determine hidden products.

5CVSS6.7AI score0.00807EPSS

CVE•added 2005/05/14 4:0 a.m.•40 views

CVE-2005-1564

post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows remote authenticated users to "enter bugs into products that are closed for bug entry" by modifying the URL to specify the name of the product.

7.5CVSS6.4AI score0.01819EPSS

CVE•added 2005/02/20 5:0 a.m.•39 views

CVE-2004-1633

process_bug.cgi in Bugzilla 2.9 through 2.18rc2 and 2.19 from CVS does not check edit permissions on the keywords field, which allows remote authenticated users to modify the keywords in a bug via the keywordaction parameter.

5CVSS6.6AI score0.00288EPSS

CVE•added 2005/07/08 4:0 a.m.•39 views

CVE-2005-2173

The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2.18.1 and 2.19.1 to 2.19.3 do not verify that the flag ID is appropriate for the given bug or attachment ID, which allows users to change flags on arbitrary bugs and obtain a bug summary via process_bug.cgi.

5CVSS6.5AI score0.00384EPSS

CVE•added 2005/10/05 9:2 p.m.•39 views

CVE-2005-3138

Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set.

5CVSS6.2AI score0.00524EPSS

CVE•added 2005/05/14 4:0 a.m.•37 views

CVE-2005-1565

Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is prompted to log in while attempting to view a chart, displays the password in the URL, which may allow local users to gain sensitive information from web logs or browser history.

5CVSS6.3AI score0.00804EPSS

CVE•added 2005/02/20 5:0 a.m.•36 views

CVE-2004-1634

show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, when using the insidergroup feature and exporting a bug to XML, shows comments and attachment summaries which are marked as private, which allows remote attackers to gain sensitive information.

5CVSS6.8AI score0.00438EPSS

CVE•added 2005/10/05 9:2 p.m.•35 views

CVE-2005-3139

Bugzilla 2.19.1 through 2.20rc2 and 2.21, with user matching turned on in substring mode, allows attackers to list all users whose names match an arbitrary substring, even when the usevisibilitygroups parameter is set.

5CVSS6.6AI score0.00593EPSS