VYPR
← All advisories
Unrated severityNVD Advisory· Published May 7, 2008· Updated Apr 23, 2026

CVE-2008-2103

CVE-2008-2103

Description

Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Bugzilla 2.17.2+ via the id parameter in show_bug.cgi when using 'Format for Printing' or 'Long Format' views.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Bugzilla versions 2.17.2 and later, up to but not including the fixed versions 2.20.5, 2.22.3, 3.0.3, and 3.1.3. The flaw occurs in show_bug.cgi when the id parameter is used with the format=multiple parameter (or the 'Format for Printing' view). The id parameter is not properly sanitized, allowing injection of arbitrary HTML and script [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the id parameter with a script payload and enticing a victim to visit it. The victim must be using the 'Format for Printing' view or the 'Long Format' bug list. No authentication is required for the attacker to inject the payload, and the victim does not need special privileges beyond viewing the page [1][2].

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and script into the victim's browser, potentially leading to cookie theft, session hijacking, or defacement of the Bugzilla interface. The attack runs in the context of the Bugzilla domain.

Mitigation

The vulnerability is fixed in Bugzilla versions 2.20.5, 2.22.3, 3.0.3, and 3.1.3, released on May 4, 2008 [1]. Users should upgrade to one of these versions or later. No workaround is provided for unpatched versions.

References
  1. 3.0.3, 3.1.3, 2.22.3, and 2.20.5 Security Advisory
  2. 425665 - [SECURITY] XSS in show_bug.cgi: id isn't filtered for format=multiple

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

49
  • Mozilla Corporation/Bugzilla48 versions
    cpe:2.3:a:mozilla:bugzilla:2.17.2:*:*:*:*:*:*:*+ 47 more
    • cpe:2.3:a:mozilla:bugzilla:2.17.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.17.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.17.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.17.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.17.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.17.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.18:rc3:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.20:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.21.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.21.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.22:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.22.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.22.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.22.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.22.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.22:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.23:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.23.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.23.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:2.23.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:bugzilla:3.1.4:*:*:*:*:*:*:*
  • Python Bugzilla Project/Python Bugzillallm-fuzzy
    Range: >=2.17.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.