CVSS: 4.3EPSS: 0%CPEs: 29EXPL: 0CVE-2012-4198
https://notcve.org/view.php?id=CVE-2012-4198
16 Nov 2012 — The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error. El método User.get en Bugzilla/WebService/User.pm en Bugzilla v3.7.x y v4.0.x antes de v4.0.9, v4.1.x y v4.2.x antes de v4.2.4 y v4.3.x y v4.4.x antes de v4... • http://www.bugzilla.org/security/3.6.11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 99EXPL: 0CVE-2012-4199
https://notcve.org/view.php?id=CVE-2012-4199
16 Nov 2012 — template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code. template/es/default/bug/field-events.js.tmpl en Bugzilla v3.x antes de v3.6.12, v3.7.x ... • http://www.bugzilla.org/security/3.6.11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 36EXPL: 0CVE-2012-5883
https://notcve.org/view.php?id=CVE-2012-5883
16 Nov 2012 — Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en la infraestructura del componente Flash en YUI v2.8.0 a v2.9.0 tal y como se usa en ... • http://www.bugzilla.org/security/3.6.11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 181EXPL: 0CVE-2012-4747
https://notcve.org/view.php?id=CVE-2012-4747
04 Sep 2012 — Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to read (1) template (aka .tmpl) files, (2) other custom extension files under extensions/, or (3) custom documentation files under docs/ via a direct request. Bugzilla 2.x y 3.x a través de 3.6.11, 3.7.x y 4.0.x anterior a 4.0.8, 4.1.x y 4.2.x anterior a 4.2.3, y 4.3... • http://www.bugzilla.org/security/3.6.10 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 168EXPL: 0CVE-2012-3981
https://notcve.org/view.php?id=CVE-2012-3981
04 Sep 2012 — Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which might allow remote attackers to inject data into an LDAP directory via a crafted login attempt. Auth/Verify/LDAP.pm en Bugzilla 2.x y 3.x anterio a 3.6.11, 3.7.x y 4.0.x anterior a 4.0.8, 4.1.x y 4.2.x anterior a 4.2.3 y 4.3.x anterior a 4.3.3 no restringe los caracteres de un nombre de usuario, lo que podría permi... • http://osvdb.org/85072 • CWE-255: Credentials Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 173EXPL: 0CVE-2012-1969
https://notcve.org/view.php?id=CVE-2012-1969
28 Jul 2012 — The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment. La función get_attachment_link en Template.pm en Bugzilla v2.x y v3.x anterior a v3.6.10, v3.7.x y v4.0.x anterior a v4.0.7, v4.... • http://secunia.com/advisories/50040 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2012-1968
https://notcve.org/view.php?id=CVE-2012-1968
28 Jul 2012 — Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote attackers to obtain sensitive description information by reading the tooltip portions of an HTML e-mail message. Bugzilla v4.1.x y v4.2.x anterior a v4.2.2 y v4.3.x anterior v4.3.2 usa los privilegios de bug-editor en lugar de bugmail-recipient durante la construcción de documentos HTML de bugmail los cuales permite... • http://secunia.com/advisories/50040 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 164EXPL: 0CVE-2012-0466
https://notcve.org/view.php?id=CVE-2012-0466
27 Apr 2012 — template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page. El fichero template/en/default/list/list.js.tmpl en Bugzilla v2.x y v3.x antes de v3.6.9, v3.7.x y v4.0.x antes de v4.0.6 y v4.1.x y v4.2.x antes de v4.2.1 no trata correctamente los inicios de ... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2012-0465
https://notcve.org/view.php?id=CVE-2012-0465
27 Apr 2012 — Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header. Bugzilla v3.5.x y v3.6.x antes de v3.6.9, v3.7.x y v4.0.x antes de v4.0.6 y v4.1.x y v4.2.x antes de v4.2.1, cuando ... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2012-0453
https://notcve.org/view.php?id=CVE-2012-0453
25 Feb 2012 — Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product's installation via the XML-RPC API. Vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en xmlrpc.cgi en Bugzilla v4.0.2 hasta v4.0.4 y v4.1.1 hasta v4.2rc2, cuando mod_perl se utiliza, permite a atacantes remotos secuestrar la autenticació... • http://www.bugzilla.org/security/4.0.4 • CWE-352: Cross-Site Request Forgery (CSRF) •