Bugzilla before 2.14 does not restrict access to sanitycheck.cgi, which allows local users to cause a denial of service (CPU consumption) via a flood of requests to sanitycheck.cgi.
Max CVSS
2.1
EPSS Score
0.04%
Published
2001-09-10
Updated
2016-10-18
process_bug.cgi in Bugzilla before 2.14 does not set the "groupset" bit when a bug is moved between product groups, which will cause the bug to have the old group's restrictions, which might not be as stringent.
Max CVSS
2.1
EPSS Score
0.05%
Published
2001-09-10
Updated
2016-10-18
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option.
Max CVSS
2.1
EPSS Score
0.05%
Published
2002-08-12
Updated
2008-09-05
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and Galeon, set the document referrer too quickly in certain situations when a new page is being loaded, which allows web pages to determine the next page that is being visited, including manually entered URLs, using the onunload handler.
Max CVSS
2.6
EPSS Score
0.30%
Published
2002-09-24
Updated
2016-10-18
The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data.
Max CVSS
2.1
EPSS Score
0.04%
Published
2003-01-17
Updated
2016-10-18
Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions.
Max CVSS
2.1
EPSS Score
0.04%
Published
2003-08-27
Updated
2008-09-05
Netscape 7.0 and Mozilla 5.0 do not immediately delete messages in the trash folder when users select the 'Empty Trash' option, which could allow local users to access deleted messages.
Max CVSS
2.1
EPSS Score
0.04%
Published
2003-12-31
Updated
2008-09-05
Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U.
Max CVSS
2.6
EPSS Score
0.53%
Published
2004-07-07
Updated
2017-07-11
Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files.
Max CVSS
2.1
EPSS Score
0.04%
Published
2004-07-27
Updated
2017-07-11
Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 allows remote attackers to determine the location of files on a user's hard drive by obscuring a file upload control and tricking the user into dragging text into that control.
Max CVSS
2.6
EPSS Score
0.21%
Published
2004-12-31
Updated
2008-09-05
Mozilla before 1.6 does not display the entire URL in the status bar when a link contains %00, which could allow remote attackers to trick users into clicking on unknown or untrusted sites and facilitate phishing attacks.
Max CVSS
2.6
EPSS Score
0.29%
Published
2004-12-31
Updated
2008-09-05
The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs.
Max CVSS
2.6
EPSS Score
0.76%
Published
2004-12-31
Updated
2017-07-11
Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.
Max CVSS
2.6
EPSS Score
0.51%
Published
2005-05-02
Updated
2017-10-11
Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF.
Max CVSS
2.1
EPSS Score
0.04%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.
Max CVSS
2.6
EPSS Score
0.26%
Published
2005-03-23
Updated
2017-10-11
Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.
Max CVSS
2.6
EPSS Score
0.13%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.
Max CVSS
2.6
EPSS Score
46.47%
Published
2005-01-24
Updated
2017-10-11
Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."
Max CVSS
2.6
EPSS Score
0.49%
Published
2005-02-07
Updated
2017-10-11
Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka "Fireflashing."
Max CVSS
2.6
EPSS Score
0.54%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page.
Max CVSS
2.6
EPSS Score
89.07%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.
Max CVSS
2.1
EPSS Score
0.04%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks.
Max CVSS
2.6
EPSS Score
0.09%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks.
Max CVSS
2.6
EPSS Score
0.27%
Published
2005-03-25
Updated
2017-10-11
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content.
Max CVSS
2.6
EPSS Score
0.60%
Published
2005-05-02
Updated
2017-10-11
Firefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing."
Max CVSS
2.6
EPSS Score
0.46%
Published
2005-05-02
Updated
2017-10-11
71 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!