Filtered by vendor Mozilla
Subscriptions
Filtered by product Bugzilla
Subscriptions
Total
151 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2001-1402 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi. | ||||
CVE-2001-0330 | 1 Mozilla | 1 Bugzilla | 2024-08-08 | N/A |
Bugzilla 2.10 allows remote attackers to access sensitive information, including the database username and password, via an HTTP request for the globals.pl file, which is normally returned by the web server without being executed. | ||||
CVE-2001-0329 | 1 Mozilla | 1 Bugzilla | 2024-08-08 | N/A |
Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi. | ||||
CVE-2002-2260 | 1 Mozilla | 1 Bugzilla | 2024-08-08 | N/A |
Cross-site scripting (XSS) vulnerability in the quips feature in Mozilla Bugzilla 2.10 through 2.17 allows remote attackers to inject arbitrary web script or HTML via the "show all quips" page. | ||||
CVE-2002-1197 | 1 Mozilla | 1 Bugzilla | 2024-08-08 | N/A |
bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, allows remote attackers to execute arbitrary code via shell metacharacters in a system call to processmail. | ||||
CVE-2002-1196 | 1 Mozilla | 1 Bugzilla | 2024-08-08 | N/A |
editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, when the "usebuggroups" feature is enabled and more than 47 groups are specified, does not properly calculate bit values for large numbers, which grants extra permissions to users via known features of Perl math that set multiple bits. | ||||
CVE-2002-1198 | 1 Mozilla | 1 Bugzilla | 2024-08-08 | N/A |
Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes from an email address during account creation, which allows remote attackers to execute arbitrary SQL via a SQL injection attack. | ||||
CVE-2002-0803 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows remote attackers to display restricted products and components via a direct HTTP request to queryhelp.cgi. | ||||
CVE-2002-0809 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not properly handle URL-encoded field names that are generated by some browsers, which could cause certain fields to appear to be unset, which has the effect of removing group permissions on bugs when buglist.cgi is provided with the encoded field names. | ||||
CVE-2002-0810 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error messages from the syncshadowdb command to the HTML output, which could leak sensitive information, including plaintext passwords, if syncshadowdb fails. | ||||
CVE-2002-0811 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi. | ||||
CVE-2002-0805 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new directories with world-writable permissions, and (2) creates the params file with world-writable permissions, which allows local users to modify the files and execute code. | ||||
CVE-2002-0804 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname. | ||||
CVE-2002-0806 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option. | ||||
CVE-2002-0808 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing a mass change, sets the groupset of all bugs to the groupset of the first bug, which could inadvertently cause insecure groupset permissions to be assigned to some bugs. | ||||
CVE-2002-0807 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Cross-site scripting vulnerabilities in Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, could allow remote attackers to execute script as other Bugzilla users via the full name (real name) field, which is not properly quoted by editusers.cgi. | ||||
CVE-2002-0011 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allow remote attackers to more easily conduct attacks on the login. | ||||
CVE-2002-0010 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges. | ||||
CVE-2002-0007 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote attackers to obtain an anonymous bind to the LDAP server via a request that does not include a password, which causes a null password to be sent to the LDAP server. | ||||
CVE-2002-0009 | 2 Mozilla, Redhat | 2 Bugzilla, Powertools | 2024-08-08 | N/A |
show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu. |