Page 4 of 39 results (0.012 seconds)

CVSS: 4.3EPSS: 0%CPEs: 36EXPL: 0

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en la infraestructura del componente Flash en YUI v2.8.0 a v2.9.0 tal y como se usa en Bugzilla v3.7.x y v4.0.x antes de v4.0.9, v4.1.x y v4.2.x antes de v4.2.4 y v4.3.x y v4.4.x antes de v4.4rc1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con swfstore.swf. Se trata de un problema similar a CVE-2010-4209. • http://www.bugzilla.org/security/3.6.11 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 http://www.securityfocus.com/bid/56385 http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2 http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2 http://yuilibrary.com/support/20121030-vulnerability https://bugzilla.mozilla.org/show_bug.cgi?id=808845 https://exchange.xforce.ibmcloud.com/vulnerabilities/80116 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 181EXPL: 1

Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action. Bugzilla/Attachment.pm en attachment.cgi en Bugzilla v2.x y v3.x antes de v3.6.12, v3.7.x y v4.0.x antes de v4.0.9, v4.1.x y v4.2.x antes de v4.2.4 y v4.3. x y v4.4.x antes de v4.4rc1 permite a atacantes remotos leer las descripciones de los errores privados a través de una acción 'insert' con un obsolete=1. • http://www.bugzilla.org/security/3.6.11 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 https://bugzilla.mozilla.org/show_bug.cgi?id=802204 https://exchange.xforce.ibmcloud.com/vulnerabilities/80032 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 1

Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the Version field. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en Bugzilla v4.1.x y v4.2.x antes de v4.2.4, v4.3.x y v4.4.x antes y v4.4rc1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un valor de campo que no se maneja adecuadamente durante la construcción de un informe tabular, como se demuestra usando el campo 'Version'. • http://www.bugzilla.org/security/3.6.11 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 https://bugzilla.mozilla.org/show_bug.cgi?id=790296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code. template/es/default/bug/field-events.js.tmpl en Bugzilla v3.x antes de v3.6.12, v3.7.x y v4.0.x antes de v4.0.9, v4.1.x y v4.2.x antes de v4.2.4 y v4.3.x v4.4.x antes de v4.4rc1 genera llamadas a funciones de JavaScript que contiene nombres de productos privados o nombres de componentes privados en determinadas circunstancias que se refieren al control de la visibilidad a nivel de campo, lo que permite a atacantes remotos obtener información sensible mediante la lectura del código fuente HTML. • http://www.bugzilla.org/security/3.6.11 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 https://bugzilla.mozilla.org/show_bug.cgi?id=731178 https://exchange.xforce.ibmcloud.com/vulnerabilities/80029 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.0EPSS: 0%CPEs: 29EXPL: 0

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error. El método User.get en Bugzilla/WebService/User.pm en Bugzilla v3.7.x y v4.0.x antes de v4.0.9, v4.1.x y v4.2.x antes de v4.2.4 y v4.3.x y v4.4.x antes de v4.4rc1 tiene un resultado diferente para una solicitud de grupos en función de si un grupo existe, lo que permite a usuarios remotos autenticados descubrir los nombres de grupos privados mediante la observación de si la llamada devuelve un error. • http://www.bugzilla.org/security/3.6.11 http://www.mandriva.com/security/advisories?name=MDVSA-2013:066 https://bugzilla.mozilla.org/show_bug.cgi?id=781850 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •