CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0CVE-2009-3387
https://notcve.org/view.php?id=CVE-2009-3387
Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group restrictions to be preserved throughout the process of moving a bug to a different product category, which allows remote attackers to obtain sensitive information via a request for a bug in opportunistic circumstances. Bugzilla desde v3.3.1 hasta v3.4.4, v3.5.1, y v3.5.2 no permite que se mantengan las restricciones de grupo durante el proceso de traslado de un bug a otra categoría de producto, lo que permite a atacantes remotos conseguir información sensible a través de una petición para un bug en determinadas circunstancias. • http://secunia.com/advisories/38443 http://www.securityfocus.com/archive/1/509282/100/0/threaded http://www.securityfocus.com/bid/38026 http://www.vupen.com/english/advisories/2010/0261 https://bugzilla.mozilla.org/show_bug.cgi?id=532493 https://exchange.xforce.ibmcloud.com/vulnerabilities/56004 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 85EXPL: 0CVE-2009-3989
https://notcve.org/view.php?id=CVE-2009-3989
Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt. Bugzilla anteriores a v3.0.11, v3.2.x anteriores a v3.2.6, v3.4.x anteriores a v3.4.5, y v3.5.x anteriores a v3.5.3 no bloquea el acceso a ficheros y directorios que son utilizados en instalaciones personalizadas, lo que permite a atacantes remotos conseguir información sensible a través de peticiones para (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt. • http://secunia.com/advisories/38443 http://www.securityfocus.com/archive/1/509282/100/0/threaded http://www.securityfocus.com/bid/38025 http://www.vupen.com/english/advisories/2010/0261 https://bugzilla.mozilla.org/show_bug.cgi?id=314871 https://bugzilla.mozilla.org/show_bug.cgi?id=434801 https://exchange.xforce.ibmcloud.com/vulnerabilities/56003 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0CVE-2009-3386
https://notcve.org/view.php?id=CVE-2009-3386
Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug. El fichero Template.pm en Bugzilla v3.3.2 hasta la v3.4.3 y v3.5 hasta la v3.5.1 permite descubrir a atacantes remotos el alias de un bug privado al leer los campos (1) "Depends On" o (2) "Blocks" de un bug relacionado. • http://osvdb.org/60271 http://secunia.com/advisories/37423 http://www.bugzilla.org/security/3.4.3 http://www.securityfocus.com/bid/37062 http://www.vupen.com/english/advisories/2009/3288 https://bugzilla.mozilla.org/show_bug.cgi?id=529416 https://exchange.xforce.ibmcloud.com/vulnerabilities/54332 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2009-3125
https://notcve.org/view.php?id=CVE-2009-3125
SQL injection vulnerability in the Bug.search WebService function in Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to execute arbitrary SQL commands via unspecified parameters. Vulnerabilidad de inyección SQL en la función Bug.search de WebService en Bugzilla v3.3.2 hasta la v3.4.1 y v3.5, permite a atacantes remotos ejecutar comandos SQL a través de parámetros no especificados. • http://secunia.com/advisories/36718 http://www.bugzilla.org/security/3.0.8 http://www.securityfocus.com/bid/36371 https://bugzilla.mozilla.org/show_bug.cgi?id=515191 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2009-3166
https://notcve.org/view.php?id=CVE-2009-3166
token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. token.cgi en Bugzilla v3.4rc1 hasta v3.4.1 coloca una contraseña en una URL al comienzo del inicio de sesión que ocurre inmediatamente después del restablecimiento de la contraseña, lo que permite dependiendo del contexto a atacantes descubrir contraseñas leyendo (1) logs de acceso del servidor web, (2) logs Referer del servidor web, o (3) el historial del navegador. • http://secunia.com/advisories/36718 http://www.bugzilla.org/security/3.0.8 http://www.securityfocus.com/bid/36372 http://www.securitytracker.com/id?1022902 https://bugzilla.mozilla.org/show_bug.cgi?id=508189 • CWE-255: Credentials Management Errors •