19 matches found
CVE-2012-5883
CVE-2012-5883 is a cross-site scripting (XSS) vulnerability in the Flash component infrastructure of YUI (versions 2.8.0–2.9.0) used by Bugzilla 3.7.x/4.0.x (before 4.0.9), 4.1.x/4.2.x (before 4.2.4), and 4.3.x/4.4.x (before 4.4rc1). The issue allows remote attackers to inject arbitrary script/HT...
CVE-2012-4189
CVE-2012-4189 is a cross-site scripting (XSS) vulnerability in Bugzilla where an attacker can inject arbitrary script/HTML via a field value (notably the Version field) when constructing a tabular report. Affected are Bugzilla 4.1.x and 4.2.x before 4.2.4; and 4.3.x and 4.4.x before 4.4rc1. The u...
CVE-2012-3981
Bugzilla contains an LDAP username handling flaw in Auth/Verify/LDAP.pm that does not restrict characters, potentially allowing remote attackers to inject data into an LDAP directory via crafted login attempts. Affected versions include Bugzilla 2.x/3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8...
CVE-2012-0466
CVE-2012-0466 affects Bugzilla 2.x/3.x prior to 3.6.9, 3.7.x, and 4.0.x prior to 4.0.6, as well as 4.1.x and 4.2.x prior to 4.2.1. The flaw is in template/en/default/list/list.js.tmpl that does not properly handle multiple logins, enabling remote attackers to perform cross-site scripting (XSS) an...
CVE-2012-0440
CVE-2012-0440 is a CSRF vulnerability in Bugzilla’s JSON-RPC API (jsonrpc.cgi) that could allow an attacker to hijack the authentication of arbitrary users for JSON-RPC requests. Affected Bugzilla versions include 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x bef...
CVE-2012-0453
The CVE-2012-0453 entry describes a Cross-site Request Forgery (CSRF) vulnerability in Bugzilla versions 4.0.2–4.0.4 and 4.1.1–4.2rc2 when using mod_perl. The flaw allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product’s installation via the X...
CVE-2011-3669
CVE-2011-3669 : CSRF vulnerability in Bugzilla’s attachment.cgi permits remote attackers to hijack the authentication of arbitrary users when uploading attachments. Affected software: Bugzilla 2.x, 3.x, and 4.x prior to 4.2rc1. Root cause: cross-site request forgery on the attachment upload path....
CVE-2012-1968
Bugzilla HTML bugmails vulnerability (CVE-2012-1968): versions 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 serialize bug/attachment IDs with tooltips, but permission checks use the editor’s rights instead of the addressee’s. This can disclose confidential information via tooltips in HTML ...
CVE-2012-4198
The CVE-2012-4198 issue affects Bugzilla’s WebService User.get method in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4rc1. Root cause: different outcomes for a groups request depending on whether a group exists, enabling remote authenticated users...
CVE-2012-0465
CVE-2012-0465 affects Bugzilla versions 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1. Root cause: improper validation of the X-Forwarded-For header when inbound_proxies is enabled, allowing bypass of the lockout policy via repeated authentication re...
CVE-2012-1969
CVE-2012-1969 affects Bugzilla in multiple branches: get_attachment_link in Template.pm does not verify whether an attachment is private before showing its description in public comments, allowing read access to description text. Affected versions include Bugzilla 2.x and 3.x prior to 3.6.10, 3.7...
CVE-2011-3657
CVE-2011-3657 describes multiple XSS vulnerabilities in Bugzilla when debug mode is enabled. Affected products include Bugzilla 2.x and 3.x (up to 3.4.12/3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3). The flaws allow remote attackers to inject arbitr...
CVE-2011-3667
CVE-2011-3667 affects Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3. The root cause is that when createemailregexp is not empty, Bugzilla does not properly apply the user_can_create_account setting, allowing remote attacker...
CVE-2012-4197
CVE-2012-4197 affects Bugzilla’s Attachment.pm in attachment.cgi, allowing remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action. Affected: Bugzilla 2.x/3.x before 3.6.12, 3.7.x, 4.0.x before 4.0.9, 4.1.x/4.2.x before 4.2.4, and 4.3.x/4.4.x before 4.4r...
CVE-2012-4199
CVE-2012-4199 concerns Bugzilla’s template file template/en/default/bug/field-events.js.tmpl, where JavaScript function calls can reveal private product or component names due to custom-field visibility controls. The issue affects Bugzilla 3.x up to 3.6.12, Bugzilla 3.7.x up to 4.0.9, Bugzilla 4....
CVE-2012-4747
Bugzilla vulnerability CVE-2012-4747: Bugzilla 2.x and 3.x (up to 3.6.11), 3.7.x, 4.0.x before 4.0.8, 4.1.x, 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root due to insufficient access control. This allows remote attackers to read (1) template...
CVE-2012-5884
Technical details for CVE-2012-5884 are not provided in the supplied documents. Monitor for updates from vendors and security advisories.
CVE-2012-0448
Bugzilla vulnerability CVE-2012-0448: Bugzilla versions 2.x/3.x and 4.x exhibit improper rejection of non-ASCII characters in new-user email addresses, enabling potential account impersonation. The issue arises from insufficient validation of email fields, allowing visually similar addresses to b...
CVE-2011-3668
The CVE-2011-3668 entry describes a cross-site request forgery (CSRF) in Bugzilla’s post_bug.cgi function affecting Bugzilla 2.x, 3.x, and 4.x prior to 4.2rc1. Exploitation would allow remote attackers to hijack the authentication of arbitrary users to perform actions that create bug reports. The...