CVSS: 9.1EPSS: 0%CPEs: 168EXPL: 0CVE-2012-3981 – Bugzilla LDAP Injection / Directory Browsing
https://notcve.org/view.php?id=CVE-2012-3981
31 Aug 2012 — Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which might allow remote attackers to inject data into an LDAP directory via a crafted login attempt. Auth/Verify/LDAP.pm en Bugzilla 2.x y 3.x anterio a 3.6.11, 3.7.x y 4.0.x anterior a 4.0.8, 4.1.x y 4.2.x anterior a 4.2.3 y 4.3.x anterior a 4.3.3 no restringe los caracteres de un nombre de usuario, lo que podría permi... • http://osvdb.org/85072 • CWE-255: Credentials Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 173EXPL: 0CVE-2012-1969 – Bugzilla Information Leaks
https://notcve.org/view.php?id=CVE-2012-1969
28 Jul 2012 — The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment. La función get_attachment_link en Template.pm en Bugzilla v2.x y v3.x anterior a v3.6.10, v3.7.x y v4.0.x anterior a v4.0.7, v4.... • http://secunia.com/advisories/50040 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2012-0465 – Bugzilla Unauthorized Access / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-0465
19 Apr 2012 — Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header. Bugzilla v3.5.x y v3.6.x antes de v3.6.9, v3.7.x y v4.0.x antes de v4.0.6 y v4.1.x y v4.2.x antes de v4.2.1, cuando ... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 164EXPL: 0CVE-2012-0466 – Bugzilla Unauthorized Access / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-0466
19 Apr 2012 — template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page. El fichero template/en/default/list/list.js.tmpl en Bugzilla v2.x y v3.x antes de v3.6.9, v3.7.x y v4.0.x antes de v4.0.6 y v4.1.x y v4.2.x antes de v4.2.1 no trata correctamente los inicios de ... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2012-0453 – Bugzilla Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-0453
24 Feb 2012 — Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product's installation via the XML-RPC API. Vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en xmlrpc.cgi en Bugzilla v4.0.2 hasta v4.0.4 y v4.1.1 hasta v4.2rc2, cuando mod_perl se utiliza, permite a atacantes remotos secuestrar la autenticació... • http://www.bugzilla.org/security/4.0.4 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 29EXPL: 1CVE-2012-0440 – Bugzilla CSRF / Account Impersonation
https://notcve.org/view.php?id=CVE-2012-0440
02 Feb 2012 — Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of arbitrary users for requests that use the JSON-RPC API. Una vulnerabilidad de falsificación solicitudes en sitios cruzados(CSRF) en jsonrpc.cgi en Bugzilla v3.5.x y 3.6.x antes de v3.6.8, v3.7.x y v4.0.x antes de v4.0.4 y v4.1.x y v4.2.x antes v4.2rc2 permite a atacantes remotos secuest... • http://secunia.com/advisories/47814 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 163EXPL: 1CVE-2012-0448 – Bugzilla CSRF / Account Impersonation
https://notcve.org/view.php?id=CVE-2012-0448
02 Feb 2012 — Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address. Bugzilla v2.x y v3.x antes de v3.4.14, v3.5.x y v3.6.x antes de v3.6.8, v3.7.x y v4.0.x antes de v4.0.4 y v4.1.x y v4.2.x antes v4.2rc2 no rechazan los caracteres no ASCII en las dire... • http://secunia.com/advisories/47814 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 161EXPL: 1CVE-2011-3668
https://notcve.org/view.php?id=CVE-2011-3668
02 Jan 2012 — Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en post_bug.cgi en Bugzilla v2.x, v3.x, y v4.x antes de v4.2rc1, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección para peticiones que crean informes de bugs. • http://secunia.com/advisories/47368 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 161EXPL: 1CVE-2011-3669
https://notcve.org/view.php?id=CVE-2011-3669
02 Jan 2012 — Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF)en attachment.cgi en Bugzilla v2.x, v3.x, y v4.x antes de v4.2rc1, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección para peticiones que suben adjuntos • http://secunia.com/advisories/47368 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 160EXPL: 2CVE-2011-3657 – Bugzilla XSS / XSRF / Unauthorized Account Creation
https://notcve.org/view.php?id=CVE-2011-3657
29 Dec 2011 — Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart. Multiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Bugzilla v2.x y v3.x antes de 3.4.13; en v3.5.x y v3.6.x antes de v3.6.7, en v3.7.x y... • https://packetstorm.news/files/id/108327 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •