CVE-2009-0485
https://notcve.org/view.php?id=CVE-2009-0485
Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Bugzilla v2.17 hasta v2.22.7, v3.0 anterior a v3.0.7, v3.2 anterior a v3.2.1, y v3.3 anterior a v3.3.2 permite a atacantes remotos eliminar tipos de banderas no utilizadas a través de un enlace o una etiqueta IMG a editflagtypes.cgi. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.6 http://www.securityfocus.com/bid/33580 https://bugzilla.mozilla.org/show_bug.cgi?id=466692 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0484
https://notcve.org/view.php?id=CVE-2009-0484
Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi. Una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en versiones de Bugzilla 3.0 anteriores a 3.0.7, 3.2 antes de 3.2.1, y 3.3 antes de 3.3.2 permite a atacantes remotos eliminar búsquedas guardadas o compartidas a través de un enlace o una etiqueta IMG a buglist.cgi. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.6 http://www.securityfocus.com/bid/33580 https://bugzilla.mozilla.org/show_bug.cgi?id=466748 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0483
https://notcve.org/view.php?id=CVE-2009-0483
Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Bugzilla v2.22 antes de v2.22.7, v3.0 antes de v3.0.7, 3.2 antes de v3.2.1 y v3.3 antes de v3.3.2, permite a atacantes remotos borrar las palabras clave y las preferencias de usuario mediante un enlace o una etiqueta IMG a (1) editkeywords.cgi o (2) userprefs.cgi. • http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.6 http://www.securityfocus.com/bid/33580 https://bugzilla.mozilla.org/show_bug.cgi?id=466692 https://bugzilla.mozilla.org/show_bug.cgi?id=472362 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-4437 – Bugzilla 3.1.4 - '--attach_path' Directory Traversal
https://notcve.org/view.php?id=CVE-2008-4437
Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. Vulnerabilidad de salto de directorio en importxml.pl de Bugzilla versiones anteriores a v2.22.5, y 3.x versiones anteriores a v3.0.5, cuando --attach_path está activo, permite a atacantes remotos leer ficheros de su elección a través de un fichero XML con .. (punto punto) en el elemento "data". • https://www.exploit-db.com/exploits/32228 http://secunia.com/advisories/31444 http://secunia.com/advisories/34361 http://www.bugzilla.org/security/2.22.4 http://www.securityfocus.com/bid/30661 http://www.securitytracker.com/id?1020668 http://www.vupen.com/english/advisories/2008/2344 https://bugzilla.mozilla.org/show_bug.cgi?id=437169 https://exchange.xforce.ibmcloud.com/vulnerabilities/44407 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html https: • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2008-2103
https://notcve.org/view.php?id=CVE-2008-2103
Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list. Vulnerabilidad de Secuencias de comandos en sitios cruzados (XSS) en Bugzilla 2.17.2 y versiones posteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrariamente a través del parámetro id en la vista "Format for Printing" (Vista preliminar) o en la lista bug "Long Format" (Formato largo). • http://secunia.com/advisories/30064 http://secunia.com/advisories/30167 http://www.bugzilla.org/security/2.20.5 http://www.securityfocus.com/bid/29038 http://www.securitytracker.com/id?1019967 http://www.vupen.com/english/advisories/2008/1428/references https://bugzilla.mozilla.org/show_bug.cgi?id=425665 https://exchange.xforce.ibmcloud.com/vulnerabilities/42216 https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00036.html https://www.redhat.com/archives/fedora-pa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •