Page 12 of 65 results (0.013 seconds)

CVSS: 3.5EPSS: 0%CPEs: 18EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) page headers using the H1, H2, and H3 HTML tags in global/header.html.tmpl, (2) description fields of certain items in various edit cgi scripts, and (3) the id parameter in showdependencygraph.cgi. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Bug<illa 2.18.x anteriores a 2.18.6, 2.20.x anteriores a 2.20.3, 2.22.x anteriores a 2.22.1, y 2.23.x anteriores a 2.23.3 permiten a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML de su elección mediante (1) cabeceras de página usando las etiquetas HTML H1, H2, H3 en global/header.html.tmpl, (2) campos de descripción de determinados objetos en varias secuencias de comandos cgi de edición, y (3) el parámetro id en showdependencygraph.cgi. • http://secunia.com/advisories/22409 http://secunia.com/advisories/22790 http://secunia.com/advisories/22826 http://security.gentoo.org/glsa/glsa-200611-04.xml http://securityreason.com/securityalert/1760 http://securitytracker.com/id?1017063 http://www.bugzilla.org/security/2.18.5 http://www.debian.org/security/2006/dsa-1208 http://www.osvdb.org/29544 http://www.osvdb.org/29545 http://www.osvdb.org/29549 http://www.securityfocus.com/archive/1/448777/100/100&#x •

CVSS: 5.5EPSS: 0%CPEs: 22EXPL: 1

SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through 2.18.4 and 2.20 allows remote authenticated users with administrative privileges to execute arbitrary SQL commands via the whinedays parameter, as accessible from editparams.cgi. • http://secunia.com/advisories/18979 http://www.osvdb.org/23378 http://www.securityfocus.com/archive/1/425584/100/0/threaded http://www.securityfocus.com/bid/16738 http://www.vupen.com/english/advisories/2006/0692 https://bugzilla.mozilla.org/show_bug.cgi?id=312498 https://exchange.xforce.ibmcloud.com/vulnerabilities/24819 •

CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 1

Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 does not properly handle certain characters in the mostfreqthreshold parameter in duplicates.cgi, which allows remote attackers to trigger a SQL error. • http://www.securityfocus.com/archive/1/425584/100/0/threaded http://www.vupen.com/english/advisories/2006/0692 https://bugzilla.mozilla.org/show_bug.cgi?id=312498 https://exchange.xforce.ibmcloud.com/vulnerabilities/42802 • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 1%CPEs: 13EXPL: 0

Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set. • http://marc.info/?l=bugtraq&m=112818466125484&w=2 http://secunia.com/advisories/17030 http://www.bugzilla.org/security/2.18.4 http://www.securityfocus.com/bid/14995 https://exchange.xforce.ibmcloud.com/vulnerabilities/22490 •

CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0

The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2.18.1 and 2.19.1 to 2.19.3 do not verify that the flag ID is appropriate for the given bug or attachment ID, which allows users to change flags on arbitrary bugs and obtain a bug summary via process_bug.cgi. • http://securitytracker.com/id?1014428 http://www.bugzilla.org/security/2.18.1 https://bugzilla.mozilla.org/show_bug.cgi?id=293159 •