Vulnerabilities > Mozilla > Bugzilla

DATE CVE VULNERABILITY TITLE RISK
2019-04-29 CVE-2018-5123 Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla
A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4.
network
mozilla CWE-352
6.8
2017-04-12 CVE-2016-2803 Cross-site Scripting vulnerability in Mozilla Bugzilla
Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML.
network
mozilla CWE-79
4.3
2016-01-03 CVE-2015-8509 Information Exposure vulnerability in Mozilla Bugzilla
Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code.
network
mozilla CWE-200
4.3
2016-01-03 CVE-2015-8508 Cross-site Scripting vulnerability in Mozilla Bugzilla
Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary.
network
high complexity
mozilla CWE-79
2.6
2015-09-14 CVE-2015-4499 Improper Input Validation vulnerability in Mozilla Bugzilla
Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address.
network
low complexity
mozilla CWE-20
7.5
2015-02-01 CVE-2014-8630 Command Injection vulnerability in multiple products
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
network
low complexity
mozilla fedoraproject CWE-77
6.5
2014-10-13 CVE-2014-1573 Cross-Site Scripting vulnerability in multiple products
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name.
4.3
2014-10-13 CVE-2014-1572 Permissions, Privileges, and Access Controls vulnerability in multiple products
The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted.
network
low complexity
fedoraproject mozilla CWE-264
5.0
2014-10-13 CVE-2014-1571 Information Exposure vulnerability in multiple products
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template.
network
low complexity
mozilla fedoraproject CWE-200
4.0
2014-08-14 CVE-2014-1546 Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla
The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
network
mozilla CWE-352
4.3