SQL injection vulnerability in the Bug.search WebService function in Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to execute arbitrary SQL commands via unspecified parameters….
CVE Identifier: CVE-2009-3125
Vulnerability Type(s):
Severity: High
SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters….
CVE Identifier: CVE-2009-3165
Vulnerability Type(s):
Severity: High
token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL at the beginning of a login session that occurs immediately after a password reset, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history….
CVE Identifier: CVE-2009-3166
Vulnerability Type(s):
Severity: Medium
Remember that “Think Globally, Act Locally” bumper sticker you’ve seen on hybrids and VW buses? The folks over at Mozilla have really taken the message to heart, building participatory local communities around the world. In a continuation of our occasional series on open source community building, we present a case study about scaling the localization community at Mozilla.
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing….
CVE Identifier: CVE-2009-1213
Vulnerability Type(s):
Severity: Medium
Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to “approve.”…
CVE Identifier: CVE-2008-6098
Vulnerability Type(s):
Severity: Medium
Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers….
CVE Identifier: CVE-2009-0481
Vulnerability Type(s):
Severity: Low
Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi….
CVE Identifier: CVE-2009-0482
Vulnerability Type(s):
Severity: Medium
Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi….
CVE Identifier: CVE-2009-0483
Vulnerability Type(s):
Severity: Medium
Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi….
CVE Identifier: CVE-2009-0484
Vulnerability Type(s):
Severity: Medium
