VuXML ID | Description |
dc2d76df-a595-11e4-9363-20cf30e32f6d | Bugzilla multiple security issues
Bugzilla Security Advisory
Command Injection
Some code in Bugzilla does not properly utilize 3 arguments form
for open() and it is possible for an account with editcomponents
permissions to inject commands into product names and other
attributes.
Information Leak
Using the WebServices API, a user can possibly execute imported
functions from other non-WebService modules. A whitelist has now
been added that lists explicit methods that can be executed via the
API.
Discovery 2015-01-21 Entry 2015-01-26 bugzilla44
< 4.4.7
CVE-2014-8630
https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
https://bugzilla.mozilla.org/show_bug.cgi?id=1090275
|
9defb2d6-1404-11e4-8cae-20cf30e32f6d | bugzilla -- Cross Site Request Forgery
A Bugzilla Security Advisory reports:
Adobe does not properly restrict the SWF file format,
which allows remote attackers to conduct cross-site
request forgery (CSRF) attacks against Bugzilla's JSONP
endpoint, possibly obtaining sensitive bug information,
via a crafted OBJECT element with SWF content satisfying
the character-set requirements of a callback API.
Discovery 2014-07-24 Entry 2014-07-25 bugzilla44
< 4.4.5
CVE-2014-1546
|
ea893f06-5a92-11e5-98c0-20cf30e32f6d | Bugzilla security issues
Bugzilla Security Advisory
Login names (usually an email address) longer than 127
characters are silently truncated in MySQL which could
cause the domain name of the email address to be
corrupted. An attacker could use this vulnerability to
create an account with an email address different from the
one originally requested. The login name could then be
automatically added to groups based on the group's regular
expression setting.
Discovery 2015-09-10 Entry 2015-09-14 bugzilla44
< 4.4.10
bugzilla50
< 5.0.1
CVE-2015-4499
https://bugzilla.mozilla.org/show_bug.cgi?id=1202447
|
22283b8c-13c5-11e8-a861-20cf30e32f6d | Bugzilla security issues
Bugzilla Security Advisory
A CSRF vulnerability in report.cgi would allow a third-party site
to extract confidential information from a bug the victim had access to.
Discovery 2018-02-16 Entry 2018-02-16 bugzilla44
< 4.4.13
bugzilla50
< 5.0.4
CVE-2018-5123
https://bugzilla.mozilla.org/show_bug.cgi?id=1433400
|
54075861-a95a-11e5-8b40-20cf30e32f6d | Bugzilla security issues
Bugzilla Security Advisory
During the generation of a dependency graph, the code for
the HTML image map is generated locally if a local dot
installation is used. With escaped HTML characters in a bug
summary, it is possible to inject unfiltered HTML code in
the map file which the CreateImagemap function generates.
This could be used for a cross-site scripting attack.
If an external HTML page contains a |