CVSS: 7.5EPSS: 0%CPEs: 160EXPL: 0CVE-2011-3667 – Bugzilla XSS / XSRF / Unauthorized Account Creation
https://notcve.org/view.php?id=CVE-2011-3667
29 Dec 2011 — The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message. El método WebService User.offer_account_by_email en Bugzilla v2.x y v3.x antes de v3.4.13, en v3.5.x y v3.6.x antes de v3.6.7, en v3.7... • http://archives.neohapsis.com/archives/bugtraq/2011-12/0184.html • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 18EXPL: 0CVE-2011-2977
https://notcve.org/view.php?id=CVE-2011-2977
09 Aug 2011 — Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3.6. Bugzilla 3.6.x anteriores a la versón 3.6.6, 3.7.x, 4.0.x anteriores a 4.0.2 y 4.1.x anteriores a 4.1.3 en Windows no borra los archivos temporales asociados a adjuntos subidos, lo que permite a usuarios locales... • http://secunia.com/advisories/45501 •
CVSS: 6.1EPSS: 0%CPEs: 200EXPL: 1CVE-2011-2379 – Debian Security Advisory 2322-1
https://notcve.org/view.php?id=CVE-2011-2379
09 Aug 2011 — Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3, when Internet Explorer before 9 or Safari before 5.0.6 is used for Raw Unified mode, allows remote attackers to inject arbitrary web script or HTML via a crafted patch, related to content sniffing. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Bugzilla 2.4 hasta la versión 2.22.7, 3.0.x hasta la... • http://secunia.com/advisories/45501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 75EXPL: 0CVE-2011-2380 – Debian Security Advisory 2322-1
https://notcve.org/view.php?id=CVE-2011-2380
09 Aug 2011 — Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing. Bugzilla 2.23.3 hasta la versión 2.22.7, 3.0.x hasta la versión 3.3.x, 3.4.x anteriores a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.7.x, 4.0.x anteriores a 4.0.2 y 4.1.x anteriores a 4.1.3 permite a atacantes remotos d... • http://secunia.com/advisories/45501 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 115EXPL: 0CVE-2011-2381 – Debian Security Advisory 2322-1
https://notcve.org/view.php?id=CVE-2011-2381
09 Aug 2011 — CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. Vulnerabilidad de inyección CRLF (Carriage Return - Line Feed) en Bugzilla 2.17.1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anteriores a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.7.x, 4.0.x anteriores... • http://secunia.com/advisories/45501 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 129EXPL: 0CVE-2011-2978 – Debian Security Advisory 2322-1
https://notcve.org/view.php?id=CVE-2011-2978
09 Aug 2011 — Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. Bugzilla 2.16rc1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anterior a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.... • http://secunia.com/advisories/45501 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 1%CPEs: 6EXPL: 0CVE-2010-4209
https://notcve.org/view.php?id=CVE-2010-4209
07 Nov 2010 — Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la infraestructura del componente de Flash en YUI v2.8.0 hasta v2.8.1, tal como se emplea en Bugzilla v3.7.1 hasta v3.7.3 y v4.1, permite a atacantes remotos inyecta... • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 92EXPL: 1CVE-2010-3764 – Bugzilla HTTP Response Splitting / Cross Site Scripting / Information Leak
https://notcve.org/view.php?id=CVE-2010-3764
05 Nov 2010 — The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL. La implementación Old Charts en Bugzilla v2.12 hasta v3.2.8, v3.4.8, v3.6.2, v3.7.3, y v4.1 crea archivos gráficos con nombres predecibles en graphs/, lo que permite a atacantes remotos obtener información sensible a través de URL modificadas. Bugzilla versions 3.2.8, 3.4.8, 3.6.2 an... • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •