CVSS: 6.1EPSS: 0%CPEs: 106EXPL: 0CVE-2011-2976
https://notcve.org/view.php?id=CVE-2011-2976
09 Aug 2011 — Cross-site scripting (XSS) vulnerability in Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, and 3.4.x before 3.4.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving a BUGLIST cookie. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Bugzilla 2.16rc1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x y 3.4.x anteriores a la 3.4.12 permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores que involucran u... • http://secunia.com/advisories/45501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 129EXPL: 0CVE-2011-2978
https://notcve.org/view.php?id=CVE-2011-2978
09 Aug 2011 — Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. Bugzilla 2.16rc1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anterior a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.... • http://secunia.com/advisories/45501 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 109EXPL: 0CVE-2011-0046
https://notcve.org/view.php?id=CVE-2011-0046
28 Jan 2011 — Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi. Múltiples vulne... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 109EXPL: 0CVE-2011-0048
https://notcve.org/view.php?id=CVE-2011-0048
28 Jan 2011 — Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI. Bugzilla anterior a v3.2.10, v3.4.x anterior a v3.4.10, v3.6.x anterior a v3.6.4, y v4.0.x anterior a v4.0rc2 crea un enlace a un campo URI de la URL (también conocido como bug_file_loc) de (1) javascri... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 109EXPL: 0CVE-2010-4567
https://notcve.org/view.php?id=CVE-2010-4567
28 Jan 2011 — Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field. Bugzilla anterior a v3.2.10, v3.4.x anterior a v3.4.10, v3.6.x anterior a v3.6.4, y v4.0.x anterior a v4.0rc2 no gestiona adecuadamente el espacio en blanco que precede a URIs de (1) javascript: o (2) datos:, esto permite a ata... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 113EXPL: 0CVE-2010-4568
https://notcve.org/view.php?id=CVE-2010-4568
28 Jan 2011 — Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function. Bugzilla v2.14 a la v2.22.7; v3.0.x, v3.1.x, y v3.2.x anterior a v3.2.10; v3.4.x anterior a v3.4.10; v3.6.x anterior a v3.6.4; y v4.0.x anterior a v4.0rc... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 109EXPL: 0CVE-2010-4572
https://notcve.org/view.php?id=CVE-2010-4572
28 Jan 2011 — CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411. Vulnerabilidad de CRLF (de validación de entrada) en chart.cgi en Bugzilla anterior a v3.2.10, v3.4.x anterior a v3.4.10, v3.6.x anterior a v3.6.4, y v4.0.x anterior a v4.0rc2, permite a atac... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 92EXPL: 1CVE-2010-3764
https://notcve.org/view.php?id=CVE-2010-3764
05 Nov 2010 — The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL. La implementación Old Charts en Bugzilla v2.12 hasta v3.2.8, v3.4.8, v3.6.2, v3.7.3, y v4.1 crea archivos gráficos con nombres predecibles en graphs/, lo que permite a atacantes remotos obtener información sensible a través de URL modificadas. • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.7EPSS: 0%CPEs: 105EXPL: 0CVE-2010-3172
https://notcve.org/view.php?id=CVE-2010-3172
05 Nov 2010 — CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL. Vulnerabilidad de inyección CRLF (se refiere a CR (retorno de carro) y LF (salto de línea)) en Bugzilla anterior a v3.2.9, v3.4.x anterior a v3.4.9, v3.6.x anterior a v3.6.3, y v4.0.x anterior a v4.0rc1, cuando S... • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 78EXPL: 0CVE-2010-2756
https://notcve.org/view.php?id=CVE-2010-2756
13 Aug 2010 — Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 allows remote attackers to determine the group memberships of arbitrary users via vectors involving the Search interface, boolean charts, and group-based pronouns. Search.pm en Bugzilla v2.19.1 hasta la v3.2.7, v3.3.1 hasta la v3.4.7, v3.5.1 hasta la v3.6.1, y v3.7 hasta la v3.7.2 permite a atacantes remotos determinar la pertenencia a grupos de usuarios de su elección a través de vectores de ataque q... • http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046518.html • CWE-264: Permissions, Privileges, and Access Controls •