2.18.8 : Security Vulnerabilities

Cpe Name:cpe:/a:mozilla:bugzilla:2.18.8

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : Cve Number Descending Cve Number Ascending CVSS Score Descending Number Of Exploits Descending

Copy Results Download Results Select Table

#	CVE ID	CWE ID	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2013-0786	200	+Info	2013-02-24	2013-02-25	5.0	None	Remote	Low	Not required	Partial	None	None
The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product names by using debug mode for a query.
2	CVE-2012-4747	264		2012-09-04	2012-09-04	5.0	None	Remote	Low	Not required	Partial	None	None
Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to read (1) template (aka .tmpl) files, (2) other custom extension files under extensions/, or (3) custom documentation files under docs/ via a direct request.
3	CVE-2012-4197	200	+Info	2012-11-16	2013-03-01	5.0	None	Remote	Low	Not required	Partial	None	None
Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action.
4	CVE-2012-3981	255		2012-09-04	2013-03-25	5.0	None	Remote	Low	Not required	None	Partial	None
Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which might allow remote attackers to inject data into an LDAP directory via a crafted login attempt.
5	CVE-2012-1969	264	+Info	2012-07-30	2012-07-31	4.3	None	Remote	Medium	Not required	Partial	None	None
The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment description within a public comment, which allows remote attackers to obtain sensitive description information by reading a comment.
6	CVE-2012-0466	264	XSS +Info	2012-04-27	2012-08-13	4.0	None	Remote	High	Not required	Partial	Partial	None
template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page.
7	CVE-2012-0448	20		2012-02-02	2012-02-15	4.0	None	Remote	Low	Single system	None	Partial	None
Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address.
8	CVE-2011-3669	352	CSRF	2012-01-02	2012-02-01	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments.
9	CVE-2011-3668	352	CSRF	2012-01-02	2012-02-01	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports.
10	CVE-2011-3667	287		2012-01-02	2012-02-03	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.
11	CVE-2011-3657	79	XSS	2012-01-02	2012-02-03	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart.
12	CVE-2011-0048	79	XSS	2011-01-28	2011-10-25	4.3	None	Remote	Medium	Not required	None	Partial	None
Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI.
13	CVE-2011-0046	352	CSRF	2011-01-28	2011-10-25	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi.
14	CVE-2010-4572	94	Http R.Spl.	2011-01-28	2011-10-25	4.3	None	Remote	Medium	Not required	None	Partial	None
CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411.
15	CVE-2010-4567	79	XSS	2011-01-28	2011-10-25	4.3	None	Remote	Medium	Not required	None	Partial	None
Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field.
16	CVE-2010-3764	200	+Info	2010-11-05	2010-11-22	5.0	None	Remote	Low	Not required	Partial	None	None
The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL.
17	CVE-2010-3172	94	Http R.Spl.	2010-11-05	2010-12-16	2.6	None	Remote	High	Not required	None	Partial	None
CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL.
18	CVE-2010-2758	200	+Info	2010-08-16	2010-09-08	5.0	None	Remote	Low	Not required	Partial	None	None
Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 generates different error messages depending on whether a product exists, which makes it easier for remote attackers to guess product names via unspecified use of the (1) Reports or (2) Duplicates page.
19	CVE-2009-3989	264	+Info	2010-02-03	2010-02-05	4.3	None	Remote	Medium	Not required	Partial	None	None
Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.
20	CVE-2009-0483	352	CSRF	2009-02-09	2009-03-25	5.8	None	Remote	Medium	Not required	None	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi.
21	CVE-2009-0482	352	CSRF	2009-02-09	2009-03-25	5.8	None	Remote	Medium	Not required	None	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi.
22	CVE-2009-0481	79	XSS	2009-02-09	2009-03-25	3.5	None	Remote	Medium	Single system	None	Partial	None
Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers.
23	CVE-2008-6098	264	Bypass	2009-02-09	2009-03-25	4.0	None	Remote	Low	Single system	None	None	Partial
Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve."

Total number of vulnerabilities : 23 Page : 1 (This Page)