VYPR

Python Bugzilla

by Python Bugzilla Project

Source repositories

CVEs (13)

  • CVE-2013-2191Feb 8, 2014
    risk 0.00cvss epss 0.01

    python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.

  • CVE-2013-0786Feb 24, 2013
    risk 0.00cvss epss 0.02

    The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product…

  • CVE-2012-1968Jul 30, 2012
    risk 0.00cvss epss 0.01

    Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote attackers to obtain sensitive description information by reading the tooltip…

  • CVE-2012-0453Feb 25, 2012
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product's installation via the…

  • CVE-2012-0448Feb 2, 2012
    risk 0.00cvss epss 0.01

    Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other…

  • CVE-2007-0792Feb 6, 2007
    risk 0.00cvss epss 0.01

    The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions, which allows remote attackers to obtain the database username and password via a direct request for the localconfig…

  • CVE-2005-4534Dec 28, 2005
    risk 0.00cvss epss 0.02

    The shadow database feature (syncshadowdb) in Bugzilla 2.9 through 2.16.10 allows local users to overwrite arbitrary files via a symlink attack on temporary files.

  • CVE-2005-3139Oct 5, 2005
    risk 0.00cvss epss 0.01

    Bugzilla 2.19.1 through 2.20rc2 and 2.21, with user matching turned on in substring mode, allows attackers to list all users whose names match an arbitrary substring, even when the usevisibilitygroups parameter is set.

  • CVE-2005-3138Oct 5, 2005
    risk 0.00cvss epss 0.01

    Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set.

  • CVE-2003-0603Aug 27, 2003
    risk 0.00cvss epss 0.00

    Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions.

  • CVE-2003-0012Jan 17, 2003
    risk 0.00cvss epss 0.00

    The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data.

  • CVE-2002-0806Aug 12, 2002
    risk 0.00cvss epss 0.00

    Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option.

  • CVE-2002-0009Jan 31, 2002
    risk 0.00cvss epss 0.01

    show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu.