CVSS: 9.1EPSS: 0%CPEs: 129EXPL: 0CVE-2011-2978
https://notcve.org/view.php?id=CVE-2011-2978
09 Aug 2011 — Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. Bugzilla 2.16rc1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anterior a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.... • http://secunia.com/advisories/45501 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 1%CPEs: 3EXPL: 1CVE-2011-2979
https://notcve.org/view.php?id=CVE-2011-2979
09 Aug 2011 — Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression. Bugzilla 4.1.x anteriores a 4.1.3 genera respuestas distintas a peticiones determinadas sobre la persona asignada ("assignee") dependiendo de si el nombre del grupo es válido, lo que permite a atacantes remo... • http://secunia.com/advisories/45501 •
CVSS: 6.1EPSS: 0%CPEs: 106EXPL: 0CVE-2011-2976
https://notcve.org/view.php?id=CVE-2011-2976
09 Aug 2011 — Cross-site scripting (XSS) vulnerability in Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, and 3.4.x before 3.4.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving a BUGLIST cookie. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Bugzilla 2.16rc1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x y 3.4.x anteriores a la 3.4.12 permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores que involucran u... • http://secunia.com/advisories/45501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 115EXPL: 0CVE-2011-2381
https://notcve.org/view.php?id=CVE-2011-2381
09 Aug 2011 — CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. Vulnerabilidad de inyección CRLF (Carriage Return - Line Feed) en Bugzilla 2.17.1 hasta la versión 2.22.7, 3.0.x hasta la 3.3.x, 3.4.x anteriores a 3.4.12, 3.5.x, 3.6.x anteriores a 3.6.6, 3.7.x, 4.0.x anteriores... • http://secunia.com/advisories/45501 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 3%CPEs: 109EXPL: 0CVE-2011-0046
https://notcve.org/view.php?id=CVE-2011-0046
28 Jan 2011 — Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi. Múltiples vulne... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2010-4570
https://notcve.org/view.php?id=CVE-2010-4570
28 Jan 2011 — Cross-site scripting (XSS) vulnerability in the duplicate-detection functionality in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the summary field, related to the DataTable widget in YUI. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en la funcionalidad duplicate-detection en Bugzilla v3.7.1, v3.7.2, v3.7.3, y v4.0rc1, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del c... • http://osvdb.org/70702 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 113EXPL: 0CVE-2010-4568
https://notcve.org/view.php?id=CVE-2010-4568
28 Jan 2011 — Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function. Bugzilla v2.14 a la v2.22.7; v3.0.x, v3.1.x, y v3.2.x anterior a v3.2.10; v3.4.x anterior a v3.4.10; v3.6.x anterior a v3.6.4; y v4.0.x anterior a v4.0rc... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 1%CPEs: 109EXPL: 0CVE-2010-4572
https://notcve.org/view.php?id=CVE-2010-4572
28 Jan 2011 — CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411. Vulnerabilidad de CRLF (de validación de entrada) en chart.cgi en Bugzilla anterior a v3.2.10, v3.4.x anterior a v3.4.10, v3.6.x anterior a v3.6.4, y v4.0.x anterior a v4.0rc2, permite a atac... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 109EXPL: 0CVE-2010-4567
https://notcve.org/view.php?id=CVE-2010-4567
28 Jan 2011 — Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field. Bugzilla anterior a v3.2.10, v3.4.x anterior a v3.4.10, v3.6.x anterior a v3.6.4, y v4.0.x anterior a v4.0rc2 no gestiona adecuadamente el espacio en blanco que precede a URIs de (1) javascript: o (2) datos:, esto permite a ata... • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2010-4569
https://notcve.org/view.php?id=CVE-2010-4569
28 Jan 2011 — Cross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the real name field of a user account, related to the AutoComplete widget in YUI. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en la funcionalidad duplicate-detection en Bugzilla v3.7.1, v3.7.2, v3.7.3, y v4.0rc1, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del campo "real" de una... • http://osvdb.org/70701 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •