CVE-2001-1402
Description
Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7cpe:2.3:a:mozilla:bugzilla:2.10:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:mozilla:bugzilla:2.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bugzilla:2.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bugzilla:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bugzilla:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bugzilla:2.8:*:*:*:*:*:*:*
- (no CPE)range: <2.14
Patches
Vulnerability mechanics
Root cause
"User-supplied input is echoed back in error messages without being passed through html_quote(), allowing HTML/JavaScript injection."
Attack vector
An attacker can inject arbitrary HTML or JavaScript by submitting crafted input to any of the affected CGI parameters — for example, entering `<u>@netscape.com` as a CC address on a bug [ref_id=1]. The server echoes the unescaped input back in an error message (e.g., "The name <u>@netscape.com is not a valid username"), causing the browser to interpret the injected markup. This cross-site scripting (CSS) attack can be used to steal cookies, perform actions on behalf of the victim, or deface pages. The same unescaped-output pattern across multiple scripts also creates a vector for SQL injection if the unescaped data is later used in database queries without proper quoting [ref_id=1].
Affected code
The vulnerability affects multiple Bugzilla CGI scripts that echo user-supplied input back in error messages without HTML-escaping it. The reference identifies reports.cgi (product/output form variables), showvotes.cgi (voteon, bug_id, user), createaccount.cgi (invalid email address), showdependencytree.cgi (invalid ID), process_bug.cgi (invalid usernames and other fields), and buglist.cgi (error messages) [ref_id=1]. The core issue is in the error-message printing paths of these scripts, where variables such as `$::FORM{newcc}` are passed directly to `print` without being run through `html_quote()` [ref_id=1].
What the fix does
The fix applied two changes [ref_id=1]. First, in `DBNameToIdAndCheck()` (in globals.pl), the `$name` variable is run through `html_quote()` before being printed in the error message, so that characters like `<` and `>` become `<` and `>` and are displayed harmlessly. Second, the `CheckEmailSyntax` function was hardened with a new regexp that rejects illegal characters (including `<`, `>`, `&`) in email addresses, preventing them from being stored in the database at all. The default `emailregexp` parameter was also simplified since the new regexp now handles the exclusion of spaces and commas [ref_id=1].
Preconditions
- networkAttacker must be able to submit form data to any of the affected Bugzilla CGI scripts (reports.cgi, showvotes.cgi, createaccount.cgi, showdependencytree.cgi, process_bug.cgi, buglist.cgi)
- inputThe server must echo the submitted value back in an error message without HTML-escaping it
Reproduction
1. Navigate to a bug (e.g., bug 33830) in a Bugzilla instance prior to version 2.14. 2. Attempt to add `<u>@netscape.com` to the CC list. 3. Observe that the error message displays the unescaped `<u>` tag: "The name <u>@netscape.com is not a valid username." — the browser renders the text as underlined, confirming HTML injection [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8News mentions
0No linked articles in our index yet.