Total
151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-2470 | 1 Mozilla | 1 Bugzilla | 2010-06-28 | 1.9 LOW | N/A |
| Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through 3.7.1, when use_suexec is enabled, uses world-readable permissions within (1) .bzr/ and (2) data/webdot/, which allows local users to obtain potentially sensitive data by reading files in these directories, a different vulnerability than CVE-2010-0180. | |||||
| CVE-2010-1204 | 1 Mozilla | 1 Bugzilla | 2010-06-28 | 5.0 MEDIUM | N/A |
| Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search." | |||||
| CVE-2010-0180 | 1 Mozilla | 1 Bugzilla | 2010-06-28 | 1.9 LOW | N/A |
| Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field. | |||||
| CVE-2009-3166 | 1 Mozilla | 1 Bugzilla | 2009-09-18 | 5.0 MEDIUM | N/A |
| token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. | |||||
| CVE-2009-3125 | 1 Mozilla | 1 Bugzilla | 2009-09-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Bug.search WebService function in Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to execute arbitrary SQL commands via unspecified parameters. | |||||
| CVE-2009-3165 | 1 Mozilla | 1 Bugzilla | 2009-09-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. | |||||
| CVE-2009-0486 | 1 Mozilla | 1 Bugzilla | 2009-03-24 | 7.5 HIGH | N/A |
| Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. | |||||
| CVE-2009-0483 | 1 Mozilla | 1 Bugzilla | 2009-03-24 | 5.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. | |||||
| CVE-2009-0484 | 1 Mozilla | 1 Bugzilla | 2009-03-24 | 5.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi. | |||||
| CVE-2009-0485 | 1 Mozilla | 1 Bugzilla | 2009-03-24 | 5.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. | |||||
| CVE-2009-0482 | 1 Mozilla | 1 Bugzilla | 2009-03-24 | 5.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi. | |||||
| CVE-2009-0481 | 1 Mozilla | 1 Bugzilla | 2009-03-24 | 3.5 LOW | N/A |
| Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers. | |||||
| CVE-2002-0811 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 7.5 HIGH | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi. | |||||
| CVE-2002-0803 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 5.0 MEDIUM | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows remote attackers to display restricted products and components via a direct HTTP request to queryhelp.cgi. | |||||
| CVE-2002-0807 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 7.5 HIGH | N/A |
| Cross-site scripting vulnerabilities in Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, could allow remote attackers to execute script as other Bugzilla users via the full name (real name) field, which is not properly quoted by editusers.cgi. | |||||
| CVE-2002-0009 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 5.0 MEDIUM | N/A |
| show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu. | |||||
| CVE-2002-0008 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 7.5 HIGH | N/A |
| Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the "who" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi. | |||||
| CVE-2002-0011 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 5.0 MEDIUM | N/A |
| Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allow remote attackers to more easily conduct attacks on the login. | |||||
| CVE-2002-0010 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 7.5 HIGH | N/A |
| Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges. | |||||
| CVE-2001-0329 | 1 Mozilla | 1 Bugzilla | 2008-09-10 | 7.5 HIGH | N/A |
| Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi. | |||||