Skip to main content

Bugzilla

32 CVEs product

Monthly

CVE-2019-1003066 Maven HIGH This Week

Jenkins Bugzilla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Bugzilla
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2016-2803 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bugzilla
NVD
CVSS 3.0
6.1
EPSS
0.4%
CVE-2015-8509 LOW POC Monitor

Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 3.0
3.5
EPSS
0.3%
CVE-2015-8508 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD
CVSS 3.0
4.7
EPSS
0.4%
CVE-2015-4499 HIGH POC PATCH This Week

Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Mozilla Information Disclosure Bugzilla
NVD
CVSS 2.0
7.5
EPSS
1.6%
CVE-2014-8630 MEDIUM PATCH This Month

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Bugzilla Fedora
NVD
CVSS 2.0
6.5
EPSS
0.6%
CVE-2014-1573 MEDIUM PATCH This Month

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Fedora Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.9%
CVE-2014-1572 MEDIUM PATCH This Month

The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Fedora Bugzilla
NVD
CVSS 2.0
5.0
EPSS
1.1%
CVE-2014-1571 MEDIUM PATCH This Month

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Bugzilla Fedora
NVD
CVSS 2.0
4.0
EPSS
0.5%
CVE-2014-1546 MEDIUM This Month

The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2014-1517 MEDIUM PATCH This Month

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

CSRF Authentication Bypass Bugzilla Fedora
NVD VulDB
CVSS 2.0
4.0
EPSS
0.4%
CVE-2013-1743 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
0.9%
CVE-2013-1742 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
0.7%
CVE-2013-1734 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Bugzilla
NVD
CVSS 2.0
6.8
EPSS
0.1%
CVE-2013-1733 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Bugzilla
NVD
CVSS 2.0
6.8
EPSS
0.1%
CVE-2013-0786 MEDIUM This Month

The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2013-0785 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-5884 MEDIUM This Month

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 4.3.2 allows remote attackers to obtain sensitive information about the saved searches of arbitrary users via an XMLRPC request or a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2012-5883 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Bugzilla Yui
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2012-4199 MEDIUM This Month

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-4198 MEDIUM This Month

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 2.0
4.0
EPSS
0.2%
CVE-2012-4197 MEDIUM POC This Month

Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2012-4189 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-4747 MEDIUM PATCH This Month

Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Bugzilla
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2012-3981 MEDIUM PATCH This Month

Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Bugzilla
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2012-1969 MEDIUM This Month

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2012-1968 MEDIUM PATCH This Month

Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-0466 MEDIUM This Month

template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation XSS Bugzilla
NVD
CVSS 2.0
4.0
EPSS
0.3%
CVE-2012-0465 MEDIUM PATCH This Month

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Bugzilla
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2012-0453 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable.

CSRF Bugzilla
NVD
CVSS 2.0
5.1
EPSS
0.2%
CVE-2012-0448 MEDIUM POC This Month

Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bugzilla
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2012-0440 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Bugzilla
NVD
CVSS 2.0
5.1
EPSS
0.2%
EPSS 1% CVSS 8.8
HIGH This Week

Jenkins Bugzilla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bugzilla
NVD
EPSS 0% CVSS 3.5
LOW POC Monitor

Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 4.7
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Mozilla Information Disclosure Bugzilla
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Bugzilla Fedora
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Fedora Bugzilla
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Fedora Bugzilla
NVD
EPSS 1% CVSS 4.0
MEDIUM PATCH This Month

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Bugzilla Fedora
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Bugzilla
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

CSRF Authentication Bypass Bugzilla +1
NVD VulDB
EPSS 1% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD Exploit-DB
EPSS 1% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Bugzilla
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Bugzilla
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Bugzilla
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 4.3.2 allows remote attackers to obtain sensitive information about the saved searches of arbitrary users via an XMLRPC request or a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Bugzilla Yui
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 5.0
MEDIUM POC This Month

Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Bugzilla
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Bugzilla
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Bugzilla
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Bugzilla
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Bugzilla
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation XSS Bugzilla
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Bugzilla
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable.

CSRF Bugzilla
NVD
EPSS 0% CVSS 4.0
MEDIUM POC This Month

Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bugzilla
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Bugzilla
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy