Lucene search
+L

19 matches found

cve
cve
added 2012/11/16 11:0 a.m.191 views

CVE-2012-5883

CVE-2012-5883 is a cross-site scripting (XSS) vulnerability in the Flash component infrastructure of YUI (versions 2.8.0–2.9.0) used by Bugzilla 3.7.x/4.0.x (before 4.0.9), 4.1.x/4.2.x (before 4.2.4), and 4.3.x/4.4.x (before 4.4rc1). The issue allows remote attackers to inject arbitrary script/HT...

4.3CVSS7AI score0.02105EPSS
cve
cve
added 2012/11/16 11:0 a.m.77 views

CVE-2012-4189

CVE-2012-4189 is a cross-site scripting (XSS) vulnerability in Bugzilla where an attacker can inject arbitrary script/HTML via a field value (notably the Version field) when constructing a tabular report. Affected are Bugzilla 4.1.x and 4.2.x before 4.2.4; and 4.3.x and 4.4.x before 4.4rc1. The u...

4.3CVSS5.4AI score0.01038EPSS
Web
cve
cve
added 2012/09/04 10:0 a.m.74 views

CVE-2012-3981

Bugzilla contains an LDAP username handling flaw in Auth/Verify/LDAP.pm that does not restrict characters, potentially allowing remote attackers to inject data into an LDAP directory via crafted login attempts. Affected versions include Bugzilla 2.x/3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8...

5CVSS6.2AI score0.01741EPSS
cve
cve
added 2012/04/27 8:0 p.m.72 views

CVE-2012-0466

CVE-2012-0466 affects Bugzilla 2.x/3.x prior to 3.6.9, 3.7.x, and 4.0.x prior to 4.0.6, as well as 4.1.x and 4.2.x prior to 4.2.1. The flaw is in template/en/default/list/list.js.tmpl that does not properly handle multiple logins, enabling remote attackers to perform cross-site scripting (XSS) an...

4CVSS5.3AI score0.00852EPSS
cve
cve
added 2012/02/02 6:0 p.m.66 views

CVE-2012-0440

CVE-2012-0440 is a CSRF vulnerability in Bugzilla’s JSON-RPC API (jsonrpc.cgi) that could allow an attacker to hijack the authentication of arbitrary users for JSON-RPC requests. Affected Bugzilla versions include 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x bef...

5.1CVSS7AI score0.0063EPSS
cve
cve
added 2012/02/25 2:0 a.m.63 views

CVE-2012-0453

The CVE-2012-0453 entry describes a Cross-site Request Forgery (CSRF) vulnerability in Bugzilla versions 4.0.2–4.0.4 and 4.1.1–4.2rc2 when using mod_perl. The flaw allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product’s installation via the X...

5.1CVSS7AI score0.00826EPSS
cve
cve
added 2012/01/02 7:0 p.m.62 views

CVE-2011-3669

CVE-2011-3669 : CSRF vulnerability in Bugzilla’s attachment.cgi permits remote attackers to hijack the authentication of arbitrary users when uploading attachments. Affected software: Bugzilla 2.x, 3.x, and 4.x prior to 4.2rc1. Root cause: cross-site request forgery on the attachment upload path....

6.8CVSS7.1AI score0.00945EPSS
cve
cve
added 2012/07/28 6:0 p.m.62 views

CVE-2012-1968

Bugzilla HTML bugmails vulnerability (CVE-2012-1968): versions 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 serialize bug/attachment IDs with tooltips, but permission checks use the editor’s rights instead of the addressee’s. This can disclose confidential information via tooltips in HTML ...

4.3CVSS6.1AI score0.01457EPSS
cve
cve
added 2012/11/16 11:0 a.m.62 views

CVE-2012-4198

The CVE-2012-4198 issue affects Bugzilla’s WebService User.get method in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4rc1. Root cause: different outcomes for a groups request depending on whether a group exists, enabling remote authenticated users...

4CVSS6.1AI score0.00874EPSS
cve
cve
added 2012/04/27 8:0 p.m.60 views

CVE-2012-0465

CVE-2012-0465 affects Bugzilla versions 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1. Root cause: improper validation of the X-Forwarded-For header when inbound_proxies is enabled, allowing bypass of the lockout policy via repeated authentication re...

4.3CVSS6.7AI score0.01234EPSS
cve
cve
added 2012/07/28 6:0 p.m.57 views

CVE-2012-1969

CVE-2012-1969 affects Bugzilla in multiple branches: get_attachment_link in Template.pm does not verify whether an attachment is private before showing its description in public comments, allowing read access to description text. Affected versions include Bugzilla 2.x and 3.x prior to 3.6.10, 3.7...

4.3CVSS5.9AI score0.01553EPSS
cve
cve
added 2012/01/02 7:0 p.m.56 views

CVE-2011-3657

CVE-2011-3657 describes multiple XSS vulnerabilities in Bugzilla when debug mode is enabled. Affected products include Bugzilla 2.x and 3.x (up to 3.4.12/3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3). The flaws allow remote attackers to inject arbitr...

4.3CVSS5.5AI score0.01567EPSS
cve
cve
added 2012/01/02 7:0 p.m.56 views

CVE-2011-3667

CVE-2011-3667 affects Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3. The root cause is that when createemailregexp is not empty, Bugzilla does not properly apply the user_can_create_account setting, allowing remote attacker...

6.8CVSS6.4AI score0.01067EPSS
cve
cve
added 2012/11/16 11:0 a.m.55 views

CVE-2012-4197

CVE-2012-4197 affects Bugzilla’s Attachment.pm in attachment.cgi, allowing remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action. Affected: Bugzilla 2.x/3.x before 3.6.12, 3.7.x, 4.0.x before 4.0.9, 4.1.x/4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4r...

5CVSS6.6AI score0.01543EPSS
Web
cve
cve
added 2012/11/16 11:0 a.m.55 views

CVE-2012-4199

CVE-2012-4199 concerns Bugzilla’s template file template/en/default/bug/field-events.js.tmpl, where JavaScript function calls can reveal private product or component names due to custom-field visibility controls. The issue affects Bugzilla 3.x up to 3.6.12, Bugzilla 3.7.x up to 4.0.9, Bugzilla 4....

4.3CVSS5.9AI score0.00962EPSS
cve
cve
added 2012/09/04 10:0 a.m.52 views

CVE-2012-4747

Bugzilla vulnerability CVE-2012-4747: Bugzilla 2.x and 3.x (up to 3.6.11), 3.7.x, 4.0.x before 4.0.8, 4.1.x, 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root due to insufficient access control. This allows remote attackers to read (1) template...

5CVSS6.3AI score0.01657EPSS
cve
cve
added 2012/11/16 11:0 a.m.52 views

CVE-2012-5884

Technical details for CVE-2012-5884 are not provided in the supplied documents. Monitor for updates from vendors and security advisories.

5CVSS6.2AI score0.01167EPSS
cve
cve
added 2012/02/02 6:0 p.m.51 views

CVE-2012-0448

Bugzilla vulnerability CVE-2012-0448: Bugzilla versions 2.x/3.x and 4.x exhibit improper rejection of non-ASCII characters in new-user email addresses, enabling potential account impersonation. The issue arises from insufficient validation of email fields, allowing visually similar addresses to b...

4CVSS6AI score0.01013EPSS
cve
cve
added 2012/01/02 7:0 p.m.47 views

CVE-2011-3668

The CVE-2011-3668 entry describes a cross-site request forgery (CSRF) in Bugzilla’s post_bug.cgi function affecting Bugzilla 2.x, 3.x, and 4.x prior to 4.2rc1. Exploitation would allow remote attackers to hijack the authentication of arbitrary users to perform actions that create bug reports. The...

6.8CVSS7.1AI score0.00945EPSS