CVE-2009-3165
https://notcve.org/view.php?id=CVE-2009-3165
SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. Vulnerabilidad de inyección SQL en la función de WebService Bug.create en Bugzilla v2.23.4 hasta la v3.0.8, v3.1.1 a v3.2.4, y v3.3.1 hasta la v3.4.1 permite a atacantes remotos ejecutar comandos SQL a través de parámetros no especificados. • http://secunia.com/advisories/36718 http://www.bugzilla.org/security/3.0.8 http://www.securityfocus.com/bid/36373 https://bugzilla.mozilla.org/show_bug.cgi?id=515191 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-1213
https://notcve.org/view.php?id=CVE-2009-1213
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en attachment.cgi de Bugzilla v3.2 anterior a v3.2.3, v3.3 anterior a v3.3.4 y versiones anteriores, permiten a atacantes remotos secuestrar la autenticación de usuarios aleatorios de solicitudes que utilizan la edición de adjuntos. • http://secunia.com/advisories/34545 http://secunia.com/advisories/34547 http://secunia.com/advisories/34624 http://www.bugzilla.org/security/3.2.2 http://www.securityfocus.com/bid/34308 http://www.vupen.com/english/advisories/2009/0887 https://bugzilla.mozilla.org/show_bug.cgi?id=476603 https://exchange.xforce.ibmcloud.com/vulnerabilities/49524 https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00188.html https://www.redhat.com/archives/fedora-package-announce/ • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-6098
https://notcve.org/view.php?id=CVE-2008-6098
Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve." Bugzilla v3.2 anterior a v3.2 RC2, v3.0 anterior a v3.0.6, v2.22 anterior a v2.22.6, v2.20 anterior a v2.20.7, y otras versiones posteriores a v2.17.4, permite a usuarios autenticados remotamente evitar la moderación para aprobar o denegar los "quips" • http://secunia.com/advisories/32501 http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.20.6 http://www.securityfocus.com/bid/32178 https://bugzilla.mozilla.org/show_bug.cgi?id=449931 https://exchange.xforce.ibmcloud.com/vulnerabilities/46424 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-0486
https://notcve.org/view.php?id=CVE-2009-0486
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. Bugzilla v3.2.1, v3.0.7 y v3.3.2, cuando se ejecuta bajo mod_perl, llama a la función srand en momento de iniciarse, lo que provoca que los hijos de Apache tengan la misma "semilla" y produzca insuficientes números aleatorios para los elementos aleatorios, lo que permite a atacantes remotos saltarse el mecanismo de protección "cross-site request forgery" (CSRF) y realizar actividades no autorizadas como si fuéramos otros usuarios. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/3.0.7 http://www.securityfocus.com/bid/33581 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0482
https://notcve.org/view.php?id=CVE-2009-0482
Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Bugzilla v3.2 anteriores a v3.2.1, v3.3 anteriores a 3.3.2 y otras versiones anteriores a v3.2 que permite a los atacantes remotos desarrollar un fallo actualizando actividades como otros usuarios a través de un enlace o etiqueta IMG a process_bug.cgi. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.6 http://www.securityfocus.com/bid/33580 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •