15 results (0.009 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

19 Feb 2018 — A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4. Un sitio web de terceros puede acceder a la información disponible para un usuario con acceso a una entrada de fallo restringida, utilizando la generación de imágenes en report.cgi en todas las versiones de Bugzilla anteriores a la 4.4. Bugzilla versions 2.16rc1 to 4.4.12 and 4.5.1 to 5.0.3 suffer from a cross site request forg... • https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-5123 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 224EXPL: 0

17 May 2016 — Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad (XSS) en los gráficos de dependencia en Bugzilla 2.16rc1 hasta la versión 4.4.11, y 4.5.1 hasta la versión 5.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrario. Bugzilla versions 2.16rc1 to 4.4.11 and 4.5.1 to 5.0.2 suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/137079/Bugzilla-4.4.11-5.0.2-Summary-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.7EPSS: 0%CPEs: 147EXPL: 1

23 Dec 2015 — Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary. Vulnerabilidad de XSS en showdependencygraph.cgi en Bugzilla 2.x, 3.x y 4.x en versiones anteriores a 4.2.16, 4.3.x y 4.4.x en versiones anteriores a 4.4.11 y 4.5.x y 5.0.x en versiones anteriores a 5.0.2... • http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 147EXPL: 1

23 Dec 2015 — Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code. Template.pm en Bugzilla 2.x, 3.x y 4.x en versiones anteriores a 4.2.16, 4.3.x y 4.4.x en versiones anteriores a 4.4.11 y 4.5.x y 5.0.x en versiones anteriores a 5.0.2 no construye adecuadamente archivos CSV, lo que p... • http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.8EPSS: 1%CPEs: 205EXPL: 1

10 Sep 2015 — Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address. Vulnerabilidad en Util.pm en Bugzilla 2.x, 3.x, y 4.x en versiones anteriores a 4.2.15, 4.3.x y 4.4.x en ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168725.html • CWE-20: Improper Input Validation •

CVSS: 9.8EPSS: 0%CPEs: 41EXPL: 0

01 Feb 2015 — Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name. Bugzilla anterior a 4.0.16, 4.1.x y 4.2.x anterior a 4.2.12, 4.3.x y 4.4.x anterior a 4.4.7, y 5.x anterior a 5.0rc1 permite a usuarios remotos autenticados ejecutar comandos a... • http://advisories.mageia.org/MGASA-2015-0048.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 5.3EPSS: 0%CPEs: 78EXPL: 0

13 Aug 2010 — Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 allows remote attackers to determine the group memberships of arbitrary users via vectors involving the Search interface, boolean charts, and group-based pronouns. Search.pm en Bugzilla v2.19.1 hasta la v3.2.7, v3.3.1 hasta la v3.4.7, v3.5.1 hasta la v3.6.1, y v3.7 hasta la v3.7.2 permite a atacantes remotos determinar la pertenencia a grupos de usuarios de su elección a través de vectores de ataque q... • http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046518.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.1EPSS: 1%CPEs: 61EXPL: 0

13 Aug 2010 — The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly send impersonation notifications, which makes it easier for remote authenticated users to impersonate other users without discovery. La funcionalidad sudo de Bugzilla v2.22rc1 hasta la v3.2.7, v3.3.1 hasta la v3.4.7, v3.5.1 hasta la v3.6.1, y v3.7 hasta la v3.7.2 no envía apropiadamente notificaciones de suplantación, lo que facilita a usuarios remotos autenticados el suplant... • http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046518.html • CWE-310: Cryptographic Issues •

CVSS: 5.3EPSS: 0%CPEs: 100EXPL: 0

13 Aug 2010 — Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 generates different error messages depending on whether a product exists, which makes it easier for remote attackers to guess product names via unspecified use of the (1) Reports or (2) Duplicates page. Bugzilla v2.23.1 hasta la v3.2.7, v3.3.1 hasta la v3.4.7, v3.5.1 hasta la v3.6.1, y v3.7 hasta la v3.7.2, genera mensajes de error diferentes dependiendo de si un producto existe, lo que facilita a atacantes remoto... • http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046518.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 1%CPEs: 52EXPL: 0

13 Aug 2010 — Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2, when PostgreSQL is used, does not properly handle large integers in (1) bug and (2) attachment phrases, which allows remote authenticated users to cause a denial of service (bug invisibility) via a crafted comment. Bugzilla v2.23.1 hasta la v3.2.7, v3.3.1 hasta la v3.4.7, v3.5.1 hasta la v3.6.1, y v3.7 hasta la v3.7.2, cuando se utiliza PostgreSQL, no maneja apropiadamente enteros grandes en elementos (1) "bug" y... • http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046518.html • CWE-189: Numeric Errors •