Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:mozilla:bugzilla:4.2:*:*:*:*:*:*:*
There are 32 matching records.
Displaying matches 21 through 32.
Vuln ID Summary CVSS Severity
CVE-2012-4747

Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to read (1) template (aka .tmpl) files, (2) other custom extension files under extensions/, or (3) custom documentation files under docs/ via a direct request.

Published: September 04, 2012; 7:04:50 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-3981

Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which might allow remote attackers to inject data into an LDAP directory via a crafted login attempt.

Published: September 04, 2012; 7:04:50 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1969

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment.

Published: July 30, 2012; 9:55:10 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1968

Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote attackers to obtain sensitive description information by reading the tooltip portions of an HTML e-mail message.

Published: July 30, 2012; 9:55:10 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-0466

template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page.

Published: April 27, 2012; 4:55:01 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2012-0465

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.

Published: April 27, 2012; 4:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-0453

Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product's installation via the XML-RPC API.

Published: February 24, 2012; 11:21:42 PM -0500
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2012-0448

Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address.

Published: February 02, 2012; 1:55:01 PM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2012-0440

Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of arbitrary users for requests that use the JSON-RPC API.

Published: February 02, 2012; 1:55:01 PM -0500
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2010-4208

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf.

Published: November 07, 2010; 5:00:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2010-4207

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.

Published: November 07, 2010; 5:00:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2004-0769

Buffer overflow in LHA allows remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive, as originally demonstrated using the "x" option but also exploitable through "l" and "v", and fixed in header.c, a different issue than CVE-2004-0771.

Published: August 18, 2004; 12:00:00 AM -0400
V3.x:(not available)
V2.0: 10.0 HIGH