Vulnerabilities > Mozilla > Bugzilla > 2.17

DATE CVE VULNERABILITY TITLE RISK
2019-04-29 CVE-2018-5123 Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla
A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4.
network
mozilla CWE-352
6.8
2017-04-12 CVE-2016-2803 Cross-site Scripting vulnerability in Mozilla Bugzilla
Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML.
network
mozilla CWE-79
4.3
2015-09-14 CVE-2015-4499 Improper Input Validation vulnerability in Mozilla Bugzilla
Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address.
network
low complexity
mozilla CWE-20
7.5
2015-02-01 CVE-2014-8630 Command Injection vulnerability in multiple products
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
network
low complexity
mozilla fedoraproject CWE-77
6.5
2014-10-13 CVE-2014-1573 Cross-Site Scripting vulnerability in multiple products
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name.
4.3
2014-10-13 CVE-2014-1572 Permissions, Privileges, and Access Controls vulnerability in multiple products
The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted.
network
low complexity
fedoraproject mozilla CWE-264
5.0
2014-10-13 CVE-2014-1571 Information Exposure vulnerability in multiple products
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template.
network
low complexity
mozilla fedoraproject CWE-200
4.0
2013-10-24 CVE-2013-1742 Cross-Site Scripting vulnerability in Mozilla Bugzilla
Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter.
network
mozilla CWE-79
4.3
2013-10-24 CVE-2013-1734 Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that commit an attachment change via an update action.
network
mozilla CWE-352
6.8
2013-02-24 CVE-2013-0786 Information Exposure vulnerability in Mozilla Bugzilla
The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product names by using debug mode for a query.
network
low complexity
mozilla CWE-200
5.0