CVE-2006-5455
https://notcve.org/view.php?id=CVE-2006-5455
Cross-site request forgery (CSRF) vulnerability in editversions.cgi in Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en editversions.cgi en Bugzilla anterior a 2.22.1 y 2.23.x anteriores a 2.23.3 permite a atacantes remotos con intervención del usuario crear, modificar o borrar informes de "bugs" de su elección mediante una URL creada artesanalmente. • http://secunia.com/advisories/22409 http://secunia.com/advisories/22790 http://security.gentoo.org/glsa/glsa-200611-04.xml http://securityreason.com/securityalert/1760 http://www.bugzilla.org/security/2.18.5 http://www.osvdb.org/29548 http://www.securityfocus.com/archive/1/448777/100/100/threaded http://www.securityfocus.com/bid/20538 http://www.vupen.com/english/advisories/2006/4035 https://bugzilla.mozilla.org/show_bug.cgi?id=281181 https://exchange.xforce.ibmcloud •
CVE-2006-5453
https://notcve.org/view.php?id=CVE-2006-5453
Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) page headers using the H1, H2, and H3 HTML tags in global/header.html.tmpl, (2) description fields of certain items in various edit cgi scripts, and (3) the id parameter in showdependencygraph.cgi. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Bug<illa 2.18.x anteriores a 2.18.6, 2.20.x anteriores a 2.20.3, 2.22.x anteriores a 2.22.1, y 2.23.x anteriores a 2.23.3 permiten a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML de su elección mediante (1) cabeceras de página usando las etiquetas HTML H1, H2, H3 en global/header.html.tmpl, (2) campos de descripción de determinados objetos en varias secuencias de comandos cgi de edición, y (3) el parámetro id en showdependencygraph.cgi. • http://secunia.com/advisories/22409 http://secunia.com/advisories/22790 http://secunia.com/advisories/22826 http://security.gentoo.org/glsa/glsa-200611-04.xml http://securityreason.com/securityalert/1760 http://securitytracker.com/id?1017063 http://www.bugzilla.org/security/2.18.5 http://www.debian.org/security/2006/dsa-1208 http://www.osvdb.org/29544 http://www.osvdb.org/29545 http://www.osvdb.org/29549 http://www.securityfocus.com/archive/1/448777/100/100 •
CVE-2006-2420
https://notcve.org/view.php?id=CVE-2006-2420
Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as ">", which are automatically decoded by some RSS readers. NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers. While this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it. Bugzilla 2.20rc1 hasta la versión 2.20 y 2.21.1, cuando utiliza RSS 1.0, permite a atacantes remotos llevar a cabo ataques de XSS a través de un elemento del título con secuencias HTML codificadas tales como ">", que son descodificadas automáticamente por algunos lectores RSS. NOTA: este problema no está en sí mismo en Bugzilla, sino más bien debido a su diseño o inconsistencias de documentación entre RSS, o vulnerabilidades de implementación en lectores RSS. • http://marc.info/?l=bugtraq&m=112818466125484&w=2 http://secunia.com/advisories/18979 http://www.bugzilla.org/security/2.18.4 http://www.osvdb.org/23379 https://bugzilla.mozilla.org/show_bug.cgi?id=313441 https://exchange.xforce.ibmcloud.com/vulnerabilities/24820 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-0913
https://notcve.org/view.php?id=CVE-2006-0913
SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through 2.18.4 and 2.20 allows remote authenticated users with administrative privileges to execute arbitrary SQL commands via the whinedays parameter, as accessible from editparams.cgi. • http://secunia.com/advisories/18979 http://www.osvdb.org/23378 http://www.securityfocus.com/archive/1/425584/100/0/threaded http://www.securityfocus.com/bid/16738 http://www.vupen.com/english/advisories/2006/0692 https://bugzilla.mozilla.org/show_bug.cgi?id=312498 https://exchange.xforce.ibmcloud.com/vulnerabilities/24819 •
CVE-2006-0914
https://notcve.org/view.php?id=CVE-2006-0914
Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 does not properly handle certain characters in the mostfreqthreshold parameter in duplicates.cgi, which allows remote attackers to trigger a SQL error. • http://www.securityfocus.com/archive/1/425584/100/0/threaded http://www.vupen.com/english/advisories/2006/0692 https://bugzilla.mozilla.org/show_bug.cgi?id=312498 https://exchange.xforce.ibmcloud.com/vulnerabilities/42802 • CWE-20: Improper Input Validation •