Total
151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2003-0602 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 6.8 MEDIUM | N/A |
| Multiple cross-site scripting vulnerabilities (XSS) in Bugzilla 2.16.x before 2.16.3 and 2.17.x before 2.17.4 allow remote attackers to insert arbitrary HTML or web script via (1) multiple default German and Russian HTML templates or (2) ALT and NAME attributes in AREA tags as used by the GraphViz graph generation feature for local dependency graphs. | |||||
| CVE-2003-0013 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file. | |||||
| CVE-2003-0012 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 2.1 LOW | N/A |
| The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data. | |||||
| CVE-2002-2260 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the quips feature in Mozilla Bugzilla 2.10 through 2.17 allows remote attackers to inject arbitrary web script or HTML via the "show all quips" page. | |||||
| CVE-2002-1198 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes from an email address during account creation, which allows remote attackers to execute arbitrary SQL via a SQL injection attack. | |||||
| CVE-2002-1197 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, allows remote attackers to execute arbitrary code via shell metacharacters in a system call to processmail. | |||||
| CVE-2002-1196 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, when the "usebuggroups" feature is enabled and more than 47 groups are specified, does not properly calculate bit values for large numbers, which grants extra permissions to users via known features of Perl math that set multiple bits. | |||||
| CVE-2002-0811 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi. | |||||
| CVE-2002-0810 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 5.0 MEDIUM | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error messages from the syncshadowdb command to the HTML output, which could leak sensitive information, including plaintext passwords, if syncshadowdb fails. | |||||
| CVE-2002-0809 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not properly handle URL-encoded field names that are generated by some browsers, which could cause certain fields to appear to be unset, which has the effect of removing group permissions on bugs when buglist.cgi is provided with the encoded field names. | |||||
| CVE-2002-0808 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing a mass change, sets the groupset of all bugs to the groupset of the first bug, which could inadvertently cause insecure groupset permissions to be assigned to some bugs. | |||||
| CVE-2002-0807 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Cross-site scripting vulnerabilities in Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, could allow remote attackers to execute script as other Bugzilla users via the full name (real name) field, which is not properly quoted by editusers.cgi. | |||||
| CVE-2002-0806 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 2.1 LOW | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option. | |||||
| CVE-2002-0805 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 4.6 MEDIUM | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new directories with world-writable permissions, and (2) creates the params file with world-writable permissions, which allows local users to modify the files and execute code. | |||||
| CVE-2002-0804 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname. | |||||
| CVE-2002-0803 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 5.0 MEDIUM | N/A |
| Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows remote attackers to display restricted products and components via a direct HTTP request to queryhelp.cgi. | |||||
| CVE-2002-0011 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 5.0 MEDIUM | N/A |
| Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allow remote attackers to more easily conduct attacks on the login. | |||||
| CVE-2002-0010 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges. | |||||
| CVE-2002-0009 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 5.0 MEDIUM | N/A |
| show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu. | |||||
| CVE-2002-0008 | 1 Mozilla | 1 Bugzilla | 2024-11-20 | 7.5 HIGH | N/A |
| Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the "who" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi. | |||||