CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-5123 – Bugzilla 4.4.12 / 5.0.3 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-5123
19 Feb 2018 — A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4. Un sitio web de terceros puede acceder a la información disponible para un usuario con acceso a una entrada de fallo restringida, utilizando la generación de imágenes en report.cgi en todas las versiones de Bugzilla anteriores a la 4.4. Bugzilla versions 2.16rc1 to 4.4.12 and 4.5.1 to 5.0.3 suffer from a cross site request forg... • https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-5123 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 224EXPL: 0CVE-2016-2803 – Bugzilla 4.4.11 / 5.0.2 Summary Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-2803
17 May 2016 — Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad (XSS) en los gráficos de dependencia en Bugzilla 2.16rc1 hasta la versión 4.4.11, y 4.5.1 hasta la versión 5.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrario. Bugzilla versions 2.16rc1 to 4.4.11 and 4.5.1 to 5.0.2 suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/137079/Bugzilla-4.4.11-5.0.2-Summary-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 147EXPL: 1CVE-2015-8508 – Bugzilla Cross Site Scripting / Information Leak
https://notcve.org/view.php?id=CVE-2015-8508
23 Dec 2015 — Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary. Vulnerabilidad de XSS en showdependencygraph.cgi en Bugzilla 2.x, 3.x y 4.x en versiones anteriores a 4.2.16, 4.3.x y 4.4.x en versiones anteriores a 4.4.11 y 4.5.x y 5.0.x en versiones anteriores a 5.0.2... • http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 147EXPL: 1CVE-2015-8509 – Bugzilla Cross Site Scripting / Information Leak
https://notcve.org/view.php?id=CVE-2015-8509
23 Dec 2015 — Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code. Template.pm en Bugzilla 2.x, 3.x y 4.x en versiones anteriores a 4.2.16, 4.3.x y 4.4.x en versiones anteriores a 4.4.11 y 4.5.x y 5.0.x en versiones anteriores a 5.0.2 no construye adecuadamente archivos CSV, lo que p... • http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 1%CPEs: 205EXPL: 1CVE-2015-4499 – Bugzilla Unauthorized Account Creation
https://notcve.org/view.php?id=CVE-2015-4499
10 Sep 2015 — Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address. Vulnerabilidad en Util.pm en Bugzilla 2.x, 3.x, y 4.x en versiones anteriores a 4.2.15, 4.3.x y 4.4.x en ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168725.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 41EXPL: 0CVE-2014-8630 – Mandriva Linux Security Advisory 2015-030
https://notcve.org/view.php?id=CVE-2014-8630
01 Feb 2015 — Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name. Bugzilla anterior a 4.0.16, 4.1.x y 4.2.x anterior a 4.2.12, 4.3.x y 4.4.x anterior a 4.4.7, y 5.x anterior a 5.0rc1 permite a usuarios remotos autenticados ejecutar comandos a... • http://advisories.mageia.org/MGASA-2015-0048.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 207EXPL: 0CVE-2014-1571 – Bugzilla Account Creation / XSS / Information Leak
https://notcve.org/view.php?id=CVE-2014-1571
07 Oct 2014 — Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template. Bugzilla 2.x hasta 4.0.x anterior a 4.0.15, 4.1.x y 4.2.x anterior a 4.2.11, 4.3.x y 4.4.x anterior a 4.4.6, y 4.5.x anterior a 4.5.6 permite a usuarios remotos autenticados obtener información sensible de comenta... • http://advisories.mageia.org/MGASA-2014-0412.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 207EXPL: 0CVE-2014-1572 – Bugzilla Account Creation / XSS / Information Leak
https://notcve.org/view.php?id=CVE-2014-1572
07 Oct 2014 — The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group pri... • http://advisories.mageia.org/MGASA-2014-0412.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 207EXPL: 0CVE-2014-1573 – Bugzilla Account Creation / XSS / Information Leak
https://notcve.org/view.php?id=CVE-2014-1573
07 Oct 2014 — Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name. Bugzilla 2.x hasta 4.0.x anterior a 4.0.15, 4.1.x y 4.2.x anterior a 4.2.11, 4.3.x y 4.4.x anterior a 4.4.6, y 4.5.x anterior a 4.5.6 no asegura que se utilice un contexto escalar par... • http://advisories.mageia.org/MGASA-2014-0412.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 124EXPL: 0CVE-2014-1546 – Mandriva Linux Security Advisory 2014-169
https://notcve.org/view.php?id=CVE-2014-1546
25 Jul 2014 — The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback cha... • http://advisories.mageia.org/MGASA-2014-0349.html • CWE-352: Cross-Site Request Forgery (CSRF) •