CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1CVE-2007-4539
https://notcve.org/view.php?id=CVE-2007-4539
27 Aug 2007 — The WebService (XML-RPC) interface in Bugzilla 2.23.3 through 3.0.0 does not enforce permissions for the time-tracking fields of bugs, which allows remote attackers to obtain sensitive information via certain XML-RPC requests, as demonstrated by the (1) Deadline and (2) Estimated Time fields. La interfaz WebService (XML-RPC) en Bugzilla 2.23.3 hasta la 3.0.0 no hace cumplir los permisos para los campos time-tracking de los fallos (bugs), lo cual permite a atacantes remotos obtener información sensible a tra... • http://osvdb.org/37202 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 30EXPL: 1CVE-2007-4543
https://notcve.org/view.php?id=CVE-2007-4543
27 Aug 2007 — Cross-site scripting (XSS) vulnerability in enter_bug.cgi in Bugzilla 2.17.1 through 2.20.4, 2.22.x before 2.22.3, and 3.x before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via the buildid field in the "guided form." Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en enter_bug.cgi en Bugzilla 2.17.1 hasta la 2.20.4, 2.22.x anterior a 2.22.3, y 3.x anterior a 3.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo buildid en l... • http://osvdb.org/37201 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2007-0791
https://notcve.org/view.php?id=CVE-2007-0791
06 Feb 2007 — Cross-site scripting (XSS) vulnerability in Atom feeds in Bugzilla 2.20.3, 2.22.1, and 2.23.3, and earlier versions down to 2.20.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en feeds de Atom en Bugzilla 2.20.3, 2.22.1, y 2.23.3, y versiones anteriores a 2.20.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante vectores no especificados. • http://osvdb.org/33090 •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-0792
https://notcve.org/view.php?id=CVE-2007-0792
06 Feb 2007 — The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions, which allows remote attackers to obtain the database username and password via a direct request for the localconfig file. La secuencia de comandos de inicialización de mod_perl en Bugzilla 2.23.3 no establece la configuración de Bugzilla Apache para permitir sobrescribir los permisos del fichero .htaccess, lo cual permite a atacantes remotos obtene... • http://osvdb.org/35862 •
CVSS: 5.4EPSS: 0%CPEs: 18EXPL: 0CVE-2006-5453
https://notcve.org/view.php?id=CVE-2006-5453
23 Oct 2006 — Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) page headers using the H1, H2, and H3 HTML tags in global/header.html.tmpl, (2) description fields of certain items in various edit cgi scripts, and (3) the id parameter in showdependencygraph.cgi. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) e... • http://secunia.com/advisories/22409 •
CVSS: 9.1EPSS: 1%CPEs: 18EXPL: 0CVE-2006-5454
https://notcve.org/view.php?id=CVE-2006-5454
23 Oct 2006 — Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x before 2.23.3 allow remote attackers to obtain (1) the description of arbitrary attachments by viewing the attachment in "diff" mode in attachment.cgi, and (2) the deadline field by viewing the XML format of the bug in show_bug.cgi. Bugzilla 2.18.x anteriores a 2.18.6, 2.20.x anteriores a 2.20.3, 2.22.x anterioers a 2.22.1, y 2.23.x anteriores a 2.23.3 permiten a atacantes remotos obtener (1) la descripción de adjuntos de ... • http://secunia.com/advisories/22409 •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2006-5455
https://notcve.org/view.php?id=CVE-2006-5455
23 Oct 2006 — Cross-site request forgery (CSRF) vulnerability in editversions.cgi in Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en editversions.cgi en Bugzilla anterior a 2.22.1 y 2.23.x anteriores a 2.23.3 permite a atacantes remotos con intervención del usuario crear, modificar o borrar informes de "bugs" de su elección mediante una URL cr... • http://secunia.com/advisories/22409 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2006-2420
https://notcve.org/view.php?id=CVE-2006-2420
16 May 2006 — Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as ">", which are automatically decoded by some RSS readers. NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers. While this issue normally would not be included in CVE, it is being identified since the Bugzilla d... • http://marc.info/?l=bugtraq&m=112818466125484&w=2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 1CVE-2006-0913
https://notcve.org/view.php?id=CVE-2006-0913
28 Feb 2006 — SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through 2.18.4 and 2.20 allows remote authenticated users with administrative privileges to execute arbitrary SQL commands via the whinedays parameter, as accessible from editparams.cgi. • http://secunia.com/advisories/18979 •
CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 1CVE-2006-0914
https://notcve.org/view.php?id=CVE-2006-0914
28 Feb 2006 — Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 does not properly handle certain characters in the mostfreqthreshold parameter in duplicates.cgi, which allows remote attackers to trigger a SQL error. • http://www.securityfocus.com/archive/1/425584/100/0/threaded • CWE-20: Improper Input Validation •