Filtered by vendor Mozilla Subscriptions
Filtered by product Bugzilla Subscriptions
Total 151 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2001-0330 1 Mozilla 1 Bugzilla 2025-04-03 N/A
Bugzilla 2.10 allows remote attackers to access sensitive information, including the database username and password, via an HTTP request for the globals.pl file, which is normally returned by the web server without being executed.
CVE-2001-1404 2 Mozilla, Redhat 2 Bugzilla, Powertools 2025-04-03 N/A
Bugzilla before 2.14 stores user passwords in plaintext and sends password requests in an email message, which could allow attackers to gain privileges.
CVE-2006-2420 1 Mozilla 1 Bugzilla 2025-04-03 N/A
Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as ">", which are automatically decoded by some RSS readers. NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers. While this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it.
CVE-2002-0010 2 Mozilla, Redhat 2 Bugzilla, Powertools 2025-04-03 N/A
Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges.
CVE-2001-1402 2 Mozilla, Redhat 2 Bugzilla, Powertools 2025-04-03 N/A
Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi.
CVE-2001-1403 2 Mozilla, Redhat 2 Bugzilla, Powertools 2025-04-03 N/A
Bugzilla before 2.14 includes the username and password in URLs, which could allow attackers to gain privileges by reading the information from the web server logs, or by "shoulder-surfing" and observing the web browser's location bar.
CVE-2001-1405 2 Mozilla, Redhat 2 Bugzilla, Powertools 2025-04-03 N/A
Bugzilla before 2.14 does not restrict access to sanitycheck.cgi, which allows local users to cause a denial of service (CPU consumption) via a flood of requests to sanitycheck.cgi.
CVE-2004-1061 1 Mozilla 1 Bugzilla 2025-04-03 N/A
Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter.
CVE-2004-1634 1 Mozilla 1 Bugzilla 2025-04-03 N/A
show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, when using the insidergroup feature and exporting a bug to XML, shows comments and attachment summaries which are marked as private, which allows remote attackers to gain sensitive information.
CVE-2004-0702 1 Mozilla 1 Bugzilla 2025-04-03 N/A
DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password in an error message when the SQL server is not running, which could allow remote attackers to gain sensitive information.
CVE-2018-5123 1 Mozilla 1 Bugzilla 2024-11-21 N/A
A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4.