CVSS: 7.5EPSS: 0%CPEs: 160EXPL: 0CVE-2011-3667
https://notcve.org/view.php?id=CVE-2011-3667
02 Jan 2012 — The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message. El método WebService User.offer_account_by_email en Bugzilla v2.x y v3.x antes de v3.4.13, en v3.5.x y v3.6.x antes de v3.6.7, en v3.7... • http://archives.neohapsis.com/archives/bugtraq/2011-12/0184.html • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 161EXPL: 1CVE-2011-3668
https://notcve.org/view.php?id=CVE-2011-3668
02 Jan 2012 — Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en post_bug.cgi en Bugzilla v2.x, v3.x, y v4.x antes de v4.2rc1, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección para peticiones que crean informes de bugs. • http://secunia.com/advisories/47368 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 161EXPL: 1CVE-2011-3669
https://notcve.org/view.php?id=CVE-2011-3669
02 Jan 2012 — Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF)en attachment.cgi en Bugzilla v2.x, v3.x, y v4.x antes de v4.2rc1, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección para peticiones que suben adjuntos • http://secunia.com/advisories/47368 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 200EXPL: 1CVE-2011-2379
https://notcve.org/view.php?id=CVE-2011-2379
09 Aug 2011 — Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3, when Internet Explorer before 9 or Safari before 5.0.6 is used for Raw Unified mode, allows remote attackers to inject arbitrary web script or HTML via a crafted patch, related to content sniffing. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Bugzilla 2.4 hasta la versión 2.22.7, 3.0.x hasta la... • http://secunia.com/advisories/45501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 75EXPL: 0CVE-2011-2380
https://notcve.org/view.php?id=CVE-2011-2380
09 Aug 2011 — Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing. Bugzilla 2.23.3 hasta la versión 2.22.7, 3.0.x hasta la versión 3.3.x, 3.4.x anteriores a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.7.x, 4.0.x anteriores a 4.0.2 y 4.1.x anteriores a 4.1.3 permite a atacantes remotos d... • http://secunia.com/advisories/45501 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 115EXPL: 0CVE-2011-2381
https://notcve.org/view.php?id=CVE-2011-2381
09 Aug 2011 — CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. Vulnerabilidad de inyección CRLF (Carriage Return - Line Feed) en Bugzilla 2.17.1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anteriores a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.7.x, 4.0.x anteriores... • http://secunia.com/advisories/45501 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 18EXPL: 0CVE-2011-2977
https://notcve.org/view.php?id=CVE-2011-2977
09 Aug 2011 — Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3.6. Bugzilla 3.6.x anteriores a la versón 3.6.6, 3.7.x, 4.0.x anteriores a 4.0.2 y 4.1.x anteriores a 4.1.3 en Windows no borra los archivos temporales asociados a adjuntos subidos, lo que permite a usuarios locales... • http://secunia.com/advisories/45501 •
CVSS: 9.1EPSS: 0%CPEs: 129EXPL: 0CVE-2011-2978
https://notcve.org/view.php?id=CVE-2011-2978
09 Aug 2011 — Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. Bugzilla 2.16rc1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anterior a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.... • http://secunia.com/advisories/45501 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2011-2979
https://notcve.org/view.php?id=CVE-2011-2979
09 Aug 2011 — Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression. Bugzilla 4.1.x anteriores a 4.1.3 genera respuestas distintas a peticiones determinadas sobre la persona asignada ("assignee") dependiendo de si el nombre del grupo es válido, lo que permite a atacantes remo... • http://secunia.com/advisories/45501 •
CVSS: 6.1EPSS: 1%CPEs: 6EXPL: 0CVE-2010-4209
https://notcve.org/view.php?id=CVE-2010-4209
07 Nov 2010 — Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la infraestructura del componente de Flash en YUI v2.8.0 hasta v2.8.1, tal como se emplea en Bugzilla v3.7.1 hasta v3.7.3 y v4.1, permite a atacantes remotos inyecta... • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •