15 matches found
CVE-2010-4567
CVE-2010-4567 affects Bugzilla: whitespace before javascript: or data: in the URL field allows XSS. Affected versions per description: Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2. Public notices across multiple advisories confirm the issue and provide ...
CVE-2011-2379
CVE-2011-2379 is a cross-site scripting issue in Bugzilla related to viewing patches in Raw Unified mode . The vulnerability arises because an alternate host used for attachments when viewing them in raw format is also used for patches, and it is exploited when users use Internet Explorer < 9 ...
CVE-2011-2977
Bugzilla 3.6.x (up to 3.6.5), 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows fail to delete temporary files created for uploaded attachments, allowing local users to read sensitive data. Root cause: regression in 3.6. Additionally, the vulnerability is limited to Windows builds as s...
CVE-2011-2380
CVE-2011-2380 affects Bugzilla and allows remote attackers to determine the existence of private group names by crafting parameters during bug creation or editing. Affected versions include Bugzilla 2.23.3–2.22.7, 3.0.x–3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4....
CVE-2010-4572
CVE-2010-4572 is a CRLF/header injection vulnerability in Bugzilla that can be triggered via the query string to inject HTTP headers and enable HTTP response splitting. Debian’s security advisory DSA-2322-1 explicitly lists this CVE among vulnerabilities in Bugzilla and notes that the issue was f...
CVE-2011-2979
Technical details for CVE-2011-2979 are not publicly available in the provided connected documents; monitor for updates. The materials reference the CVE but do not supply affected products, root cause, or fixes.
CVE-2010-4569
CVE-2010-4569 is an XSS vulnerability in Bugzilla affecting versions 3.7.1, 3.7.2, 3.7.3, and 4.0rc1. The issue arises in Bugzilla’s user account real name field, related to the YUI AutoComplete widget, allowing remote attackers to inject arbitrary script/HTML. The connected records confirm the B...
CVE-2010-4568
CVE-2010-4568 affects Bugzilla 2.14–2.22.7; 3.0.x–3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2, where cookies/tokens were generated with an insufficient number of srand calls, allowing remote attackers to gain access to arbitrary Bugzilla accounts via unsp...
CVE-2011-0046
CVE-2011-0046 affects Bugzilla prior to 3.2.10, 3.4.x prior to 3.4.10, 3.6.x prior to 3.6.4, and 4.0.x prior to 4.0rc2, enabling CSRF to hijack user authentication for actions such as adding saved searches, voting, sanity checks, charting, column changes, and quips. Public sources in the connecte...
CVE-2011-2381
Summary: CVE-2011-2381 is a CRLF injection vulnerability in Bugzilla that allows remote attackers to inject arbitrary email headers via an attachment description in a flagmail notification. The initial description lists affected versions: Bugzilla 2.17.1–2.22.7, 3.0.x–3.3.x, 3.4.x before 3.4.12, ...
CVE-2011-0048
CVE-2011-0048 affects Bugzilla: the URL field (bug_file_loc) can contain javascript: or data: URIs. The issue allows cross-site scripting against logged-out users when the URI is crafted in certain Bugzilla versions (3.2.x up to 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, 4.0.x before 4.0rc2...
CVE-2008-7292
Technical details for CVE-2008-7292 are not publicly provided in the supplied documents. Monitor for updates; the Bugzilla local-file disclosure described in the initial entry is not elaborated here.
CVE-2011-2978
Bugzilla CVE-2011-2978: The vulnerability arises because Bugzilla does not prevent changes to the confirmation email address (old_email) when a user initiates an email change, allowing an attacker with access to another user’s session (e.g., an unattended workstation) to redirect the change notif...
CVE-2011-2976
Bugzilla (Bugzilla) XSS vulnerability CVE-2011-2976 affects Bugzilla 2.16rc1–2.22.7, 3.0.x–3.3.x, and 3.4.x before 3.4.12. The issue allows remote attackers to inject arbitrary web script or HTML via vectors involving the BUGLIST cookie. No remediation details are provided in the connected docume...
CVE-2010-4570
CVE-2010-4570 is an XSS vulnerability in Bugzilla’s duplicate-detection feature (Bugzilla 3.7.1/3.7.2/3.7.3/4.0rc1) where the summary field can be exploited via the DataTable widget in YUI to inject arbitrary script/HTML. Connected documents confirm the CVE is referenced among Bugzilla-related ad...