| Vulnerability Name: | CVE-2001-1402 (CCN-7062) | ||||||||
| Assigned: | 2001-08-29 | ||||||||
| Published: | 2001-08-29 | ||||||||
| Updated: | 2016-10-18 | ||||||||
| Summary: | Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi. | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT Security Advisory for Bugzilla v2.13 and older Source: CCN Type: Bugzilla bug pages Bug 38859 - createaccount.cgi needs to escape untrusted value for e-mail address (but maybe de-escape @ symbol) Source: CONFIRM Type: UNKNOWN http://bugzilla.mozilla.org/show_bug.cgi?id=38854 Source: CONFIRM Type: UNKNOWN http://bugzilla.mozilla.org/show_bug.cgi?id=38855 Source: CONFIRM Type: UNKNOWN http://bugzilla.mozilla.org/show_bug.cgi?id=38859 Source: CONFIRM Type: UNKNOWN http://bugzilla.mozilla.org/show_bug.cgi?id=39536 Source: CONFIRM Type: UNKNOWN http://bugzilla.mozilla.org/show_bug.cgi?id=87701 Source: CONFIRM Type: UNKNOWN http://bugzilla.mozilla.org/show_bug.cgi?id=95235 Source: MITRE Type: CNA CVE-2001-1402 Source: BUGTRAQ Type: UNKNOWN 20010829 Security Advisory for Bugzilla v2.13 and older Source: CCN Type: RHSA-2001-107 New bugzilla packages are available Source: CCN Type: Bugzilla Home page Bugzilla Project Home Page Source: CCN Type: Bugzilla Security Advisory Aug 30th, 2001 Users of Bugzilla are recommended to update to version 2.14 Source: REDHAT Type: Patch, Vendor Advisory RHSA-2001:107 Source: CCN Type: BID-3265 Bugzilla createaccount.cgi Cross-Site Scripting Vulnerability Source: XF Type: UNKNOWN bugzilla-create-account-crosssite(7062) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2001-1402 (CCN-7063) | ||||||||
| Assigned: | 2001-08-29 | ||||||||
| Published: | 2001-08-29 | ||||||||
| Updated: | 2001-08-29 | ||||||||
| Summary: | Bugzilla is vulnerable to cross-site scripting, caused by an input validation error in the showvotes.cgi script. A remote attacker could embed malicious script within a URL link to the showvotes.cgi script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. | ||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT Security Advisory for Bugzilla v2.13 and older Source: CCN Type: Bugzilla bug pages Bug 38855 - showvotes.cgi needs to escape (untrusted) url params Source: MITRE Type: CNA CVE-2001-1402 Source: CCN Type: RHSA-2001-107 New bugzilla packages are available Source: CCN Type: Bugzilla Home page Bugzilla Project Home Page Source: CCN Type: Bugzilla Security Advisory Aug 30th, 2001 Users of Bugzilla are recommended to update to version 2.14 Source: CCN Type: BID-3264 Bugzilla showvotes.cgi Cross-Site Scripting Vulnerability Source: XF Type: UNKNOWN bugzilla-show-votes-crosssite(7063) | ||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2001-1402 (CCN-7064) | ||||||||
| Assigned: | 2001-08-29 | ||||||||
| Published: | 2001-08-29 | ||||||||
| Updated: | 2001-08-29 | ||||||||
| Summary: | Bugzilla is vulnerable to cross-site scripting, caused by an input validation error in the reports.cgi script. A remote attacker could embed malicious script within a URL link to the reports.cgi script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. | ||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT Security Advisory for Bugzilla v2.13 and older Source: CCN Type: Bugzilla bug pages Bug 38854 - reports.cgi needs to escape (untrusted) url params Source: MITRE Type: CNA CVE-2001-1402 Source: CCN Type: RHSA-2001-107 New bugzilla packages are available Source: CCN Type: Bugzille Home page Bugzilla Project Home Page Source: CCN Type: Bugzilla Security Advisory Aug 30th, 2001 Users of Bugzilla are recommended to update to version 2.14 Source: CCN Type: BID-3263 Bugzilla reports.cgi Cross-Site Scripting Vulnerability Source: XF Type: UNKNOWN bugzilla-reports-crosssite(7064) | ||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2001-1402 (CCN-10480) | ||||||||
| Assigned: | 2001-08-29 | ||||||||
| Published: | 2001-08-29 | ||||||||
| Updated: | 2001-08-29 | ||||||||
| Summary: | Bugzilla is vulnerable to cross-site scripting, caused by an input validation error in the DisplayError function in the buglist.cgi script. A remote attacker could create a malicious URL link containing embedded script to the buglist.cgi script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked and an error page is displayed. | ||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT Security Advisory for Bugzilla v2.13 and older Source: CCN Type: Bugzilla bug pages Bug 95235 - Insecure variables passed to DisplayError() from buglist.cgi Source: MITRE Type: CNA CVE-2001-1402 Source: CCN Type: RHSA-2001-107 New bugzilla packages are available Source: CCN Type: Bugzilla Home page Bugzilla Project Home Page Source: XF Type: UNKNOWN bugzilla-buglist-displayerror-xss(10480) | ||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2001-1402 (CCN-10482) | ||||||||
| Assigned: | 2001-08-29 | ||||||||
| Published: | 2001-08-29 | ||||||||
| Updated: | 2016-10-18 | ||||||||
| Summary: | Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi. | ||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT Security Advisory for Bugzilla v2.13 and older Source: CCN Type: Bugzilla bug pages Bug 39536 - showdependencytree.cgi needs to validate "id" param Source: MITRE Type: CNA CVE-2001-1402 Source: CCN Type: RHSA-2001-107 New bugzilla packages are available Source: XF Type: UNKNOWN bugzilla-showdependencytree-xss(10482) | ||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2001-1402 (CCN-10485) | ||||||||
| Assigned: | 2002-08-21 | ||||||||
| Published: | 2002-08-21 | ||||||||
| Updated: | 2002-08-21 | ||||||||
| Summary: | Bugzilla is vulnerable to cross-site scripting, caused by improper filtering of user-supplied input by the process_bug.cgi script. A remote attacker could embed malicious script within various Bugzilla form fields, which would be executed in the victim's Web browser in the security context of the hosting site, once the form is submitted. | ||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT Security Advisory for Bugzilla v2.13 and older Source: CCN Type: Bugzilla bug pages Bug 87701 - Invalid username in bug changes echoed back without being escaped Source: MITRE Type: CNA CVE-2001-1402 Source: CCN Type: RHSA-2001-107 New bugzilla packages are available Source: CCN Type: Bugzilla Home page Bugzilla Project Home Page Source: XF Type: UNKNOWN bugzilla-processbug-xss(10485) | ||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
| BACK | |||||||||