CVE-2009-1213
https://notcve.org/view.php?id=CVE-2009-1213
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en attachment.cgi de Bugzilla v3.2 anterior a v3.2.3, v3.3 anterior a v3.3.4 y versiones anteriores, permiten a atacantes remotos secuestrar la autenticación de usuarios aleatorios de solicitudes que utilizan la edición de adjuntos. • http://secunia.com/advisories/34545 http://secunia.com/advisories/34547 http://secunia.com/advisories/34624 http://www.bugzilla.org/security/3.2.2 http://www.securityfocus.com/bid/34308 http://www.vupen.com/english/advisories/2009/0887 https://bugzilla.mozilla.org/show_bug.cgi?id=476603 https://exchange.xforce.ibmcloud.com/vulnerabilities/49524 https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00188.html https://www.redhat.com/archives/fedora-package-announce/ • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-6098
https://notcve.org/view.php?id=CVE-2008-6098
Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve." Bugzilla v3.2 anterior a v3.2 RC2, v3.0 anterior a v3.0.6, v2.22 anterior a v2.22.6, v2.20 anterior a v2.20.7, y otras versiones posteriores a v2.17.4, permite a usuarios autenticados remotamente evitar la moderación para aprobar o denegar los "quips" • http://secunia.com/advisories/32501 http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.20.6 http://www.securityfocus.com/bid/32178 https://bugzilla.mozilla.org/show_bug.cgi?id=449931 https://exchange.xforce.ibmcloud.com/vulnerabilities/46424 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-0486
https://notcve.org/view.php?id=CVE-2009-0486
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. Bugzilla v3.2.1, v3.0.7 y v3.3.2, cuando se ejecuta bajo mod_perl, llama a la función srand en momento de iniciarse, lo que provoca que los hijos de Apache tengan la misma "semilla" y produzca insuficientes números aleatorios para los elementos aleatorios, lo que permite a atacantes remotos saltarse el mecanismo de protección "cross-site request forgery" (CSRF) y realizar actividades no autorizadas como si fuéramos otros usuarios. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/3.0.7 http://www.securityfocus.com/bid/33581 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0482
https://notcve.org/view.php?id=CVE-2009-0482
Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Bugzilla v3.2 anteriores a v3.2.1, v3.3 anteriores a 3.3.2 y otras versiones anteriores a v3.2 que permite a los atacantes remotos desarrollar un fallo actualizando actividades como otros usuarios a través de un enlace o etiqueta IMG a process_bug.cgi. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.6 http://www.securityfocus.com/bid/33580 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0481
https://notcve.org/view.php?id=CVE-2009-0481
Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers. Bugzilla v2.x anterior a v2.22.7, v3.0 anterior a v3.0.7, v3.2 anterior a v3.2.1 y v3.3 anterior a v3.3.2 ; permite a usuarios autenticados en remoto provocar una secuencia de comandos en sitios cruzados (XSS) y ataques relacionados al subir adjuntos HTML y JavaScript que son interpretados por los navegadores Web. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.6 http://www.securityfocus.com/bid/33580 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •