Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Bugzilla
(Mozilla)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 148 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2010-06-28 | CVE-2010-0180 | Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field. | Bugzilla | N/A | ||
| 2010-02-03 | CVE-2009-3989 | Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt. | Bugzilla | N/A | ||
| 2010-02-03 | CVE-2009-3387 | Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group restrictions to be preserved throughout the process of moving a bug to a different product category, which allows remote attackers to obtain sensitive information via a request for a bug in opportunistic circumstances. | Bugzilla | N/A | ||
| 2009-11-20 | CVE-2009-3386 | Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug. | Bugzilla | N/A | ||
| 2009-09-15 | CVE-2009-3166 | token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. | Bugzilla | N/A | ||
| 2009-09-15 | CVE-2009-3165 | SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. | Bugzilla | N/A | ||
| 2009-09-15 | CVE-2009-3125 | SQL injection vulnerability in the Bug.search WebService function in Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to execute arbitrary SQL commands via unspecified parameters. | Bugzilla | N/A | ||
| 2009-04-01 | CVE-2009-1213 | Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing. | Bugzilla | N/A | ||
| 2009-02-09 | CVE-2009-0486 | Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. | Bugzilla | N/A | ||
| 2009-02-09 | CVE-2009-0485 | Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. | Bugzilla | N/A |