CVSS: 8.1EPSS: 0%CPEs: 54EXPL: 0CVE-2009-0485
https://notcve.org/view.php?id=CVE-2009-0485
09 Feb 2009 — Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Bugzilla v2.17 hasta v2.22.7, v3.0 anterior a v3.0.7, v3.2 anterior a v3.2.1, y v3.3 anterior a v3.3.2 permite a atacantes remotos eliminar tipos de banderas no utilizadas a través de un enlace o una etiqueta I... • http://secunia.com/advisories/34361 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2009-0486
https://notcve.org/view.php?id=CVE-2009-0486
09 Feb 2009 — Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. Bugzilla v3.2.1, v3.0.7 y v3.3.2, cuando se ejecuta bajo mod_perl, llama a la función srand en momento de iniciarse, lo que provoca que los hijos d... • http://secunia.com/advisories/34361 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 18EXPL: 3CVE-2008-4437 – Bugzilla 3.1.4 - '--attach_path' Directory Traversal
https://notcve.org/view.php?id=CVE-2008-4437
03 Oct 2008 — Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. Vulnerabilidad de salto de directorio en importxml.pl de Bugzilla versiones anteriores a v2.22.5, y 3.x versiones anteriores a v3.0.5, cuando --attach_path está activo, permite a atacantes remotos leer ficheros de su elección a través de un fichero XML con .. (punto punto) en ... • https://www.exploit-db.com/exploits/32228 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 4%CPEs: 48EXPL: 1CVE-2008-2103
https://notcve.org/view.php?id=CVE-2008-2103
07 May 2008 — Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list. Vulnerabilidad de Secuencias de comandos en sitios cruzados (XSS) en Bugzilla 2.17.2 y versiones posteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrariamente a través del parámetro id en la vista "Format for Printing" (Vista preliminar) o en la lista bug "Lo... • http://secunia.com/advisories/30064 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 70EXPL: 0CVE-2008-2105
https://notcve.org/view.php?id=CVE-2008-2105
07 May 2008 — email_in.pl in Bugzilla 2.23.4, 3.0.x before 3.0.4, and 3.1.x before 3.1.4 allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header. NOTE: since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses. El archivo email_in.pl en Bugzilla versión 2.23.4, versiones... • http://secunia.com/advisories/30064 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 6%CPEs: 4EXPL: 1CVE-2007-5038
https://notcve.org/view.php?id=CVE-2007-5038
24 Sep 2007 — The offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation. La función offer_account_by_email en User.pm en el WebService para Bugzilla before 3.0.2, y 3.1.x anterior a 3.1.2, no valida el valor del parámetro createemailregexp, el cual permite a atacantes remotos evitar las restricciones previstas sobre la crea... • http://fedoranews.org/updates/FEDORA-2007-229.shtml • CWE-264: Permissions, Privileges, and Access Controls •