Search Results (Refine Search)
- CPE Product Version: cpe:/a:mozilla:bugzilla:4.1
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2012-1969 |
The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment. Published: July 30, 2012; 9:55:10 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1968 |
Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote attackers to obtain sensitive description information by reading the tooltip portions of an HTML e-mail message. Published: July 30, 2012; 9:55:10 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-0448 |
Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address. Published: February 02, 2012; 1:55:01 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-0440 |
Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of arbitrary users for requests that use the JSON-RPC API. Published: February 02, 2012; 1:55:01 PM -0500 |
V3.x:(not available) V2.0: 5.1 MEDIUM |
CVE-2011-3669 |
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments. Published: January 02, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2011-3668 |
Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports. Published: January 02, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2011-3667 |
The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message. Published: January 02, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2011-3657 |
Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart. Published: January 02, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-2979 |
Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression. Published: August 09, 2011; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-2978 |
Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. Published: August 09, 2011; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-2977 |
Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3.6. Published: August 09, 2011; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2011-2381 |
CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. Published: August 09, 2011; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-2380 |
Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing. Published: August 09, 2011; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-2379 |
Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3, when Internet Explorer before 9 or Safari before 5.0.6 is used for Raw Unified mode, allows remote attackers to inject arbitrary web script or HTML via a crafted patch, related to content sniffing. Published: August 09, 2011; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2010-4209 |
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf. Published: November 07, 2010; 5:00:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2010-3764 |
The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL. Published: November 05, 2010; 1:00:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |