GCVE - cpe:2.3:a:mozilla:bugzilla:3.6.13:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:mozilla:bugzilla:3.6.13:*:*:*:*:*:*:*

part: a version: 3.6.13 update: *

Vendor	Mozilla (`be1b0d4e-21a7-5a25-9982-bbda6ef43ec1`)
Product	Bugzilla (`e01796e2-013a-5496-a0c3-a87ebcd7e088`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:docker/bugzilla/bugzilla-dev`	purl2cpe	2026-06-01 10:17:53.656217
`pkg:github/bugzilla/bugzilla`	purl2cpe	2026-06-01 10:17:53.656218
`pkg:rpm/fedora/bugzilla`	purl2cpe	2026-06-01 10:17:53.656219
`pkg:rpm/opensuse/bugzilla`	purl2cpe	2026-06-01 10:17:53.656221

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2016-2803`	vulnerable	2026-06-03 14:35:43.929748	Details available Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. Published: 2017-04-12T22:00:00.000Z Updated: 2024-08-05T23:32:21.226Z Open on db.gcve.eu Reference links http://www.securityfocus.com/archive/1/538401/100/0/threaded https://www.bugzilla.org/security/4.4.11/ http://www.securitytracker.com/id/1035891 http://packetstormsecurity.com/files/137079/Bugzilla-4.4.11-5.0.2-Summary-Cross-Site-Scripting.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-8509`	vulnerable	2026-06-03 14:35:12.187056	Details available Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code. Published: 2016-01-03T02:00:00.000Z Updated: 2024-08-06T08:20:42.370Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2015/Dec/131 https://bugzilla.mozilla.org/show_bug.cgi?id=1232785 http://www.securityfocus.com/bid/79662 http://www.securitytracker.com/id/1034556 http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-8508`	vulnerable	2026-06-03 14:35:12.153594	Details available Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary. Published: 2016-01-03T02:00:00.000Z Updated: 2024-08-06T08:20:42.648Z Open on db.gcve.eu Reference links https://bugzilla.mozilla.org/show_bug.cgi?id=1221518 http://seclists.org/bugtraq/2015/Dec/131 http://www.securityfocus.com/bid/79660 http://www.securitytracker.com/id/1034556 http://packetstormsecurity.com/files/135048/Bugzilla-Cross-Site-Scripting-Information-Leak.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-4499`	vulnerable	2026-06-03 14:34:52.061892	Details available Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address. Published: 2015-09-14T01:00:00.000Z Updated: 2024-08-06T06:18:11.279Z Open on db.gcve.eu Reference links http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169946.html http://www.securitytracker.com/id/1033542 http://seclists.org/bugtraq/2015/Sep/48 https://bug1202447.bmoattachments.org/attachment.cgi?id=8657861 http://seclists.org/bugtraq/2015/Sep/49	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1573`	vulnerable	2026-06-03 14:33:47.893090	Details available Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name. Published: 2014-10-13T01:00:00.000Z Updated: 2024-08-06T09:42:36.650Z Open on db.gcve.eu Reference links http://www.opennet.ru/opennews/art.shtml?num=40766 http://www.mandriva.com/security/advisories?name=MDVSA-2014:200 http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html http://www.securityfocus.com/bid/70257 http://openwall.com/lists/oss-security/2014/10/07/20	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1572`	vulnerable	2026-06-03 14:33:47.888133	Details available The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted. Published: 2014-10-13T01:00:00.000Z Updated: 2024-08-06T09:42:36.509Z Open on db.gcve.eu Reference links http://www.opennet.ru/opennews/art.shtml?num=40766 http://www.mandriva.com/security/advisories?name=MDVSA-2014:200 http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html https://bugzilla.mozilla.org/show_bug.cgi?id=1074812 http://openwall.com/lists/oss-security/2014/10/07/20	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1571`	vulnerable	2026-06-03 14:33:47.869020	Details available Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template. Published: 2014-10-13T01:00:00.000Z Updated: 2024-08-06T09:42:36.529Z Open on db.gcve.eu Reference links https://bugzilla.mozilla.org/show_bug.cgi?id=1064140 http://www.mandriva.com/security/advisories?name=MDVSA-2014:200 http://packetstormsecurity.com/files/128578/Bugzilla-Account-Creation-XSS-Information-Leak.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142524.html http://advisories.mageia.org/MGASA-2014-0412.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1546`	vulnerable	2026-06-03 14:33:47.688517	Details available The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set. Published: 2014-08-14T10:00:00.000Z Updated: 2024-08-06T09:42:36.616Z Open on db.gcve.eu Reference links http://www.securityfocus.com/archive/1/532895 https://bugzilla.mozilla.org/show_bug.cgi?id=1036213 http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136369.html http://advisories.mageia.org/MGASA-2014-0349.html http://www.mandriva.com/security/advisories?name=MDVSA-2014:169	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1517`	vulnerable	2026-06-03 14:33:47.535445	Details available The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue. Published: 2014-04-20T01:00:00.000Z Updated: 2024-08-06T09:42:36.285Z Open on db.gcve.eu Reference links https://bugzilla.mozilla.org/show_bug.cgi?id=713926 http://www.bugzilla.org/security/4.0.11/ http://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html http://git.mozilla.org/?p=bugzilla/bugzilla.git%3Ba=commit%3Bh=0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 http://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1742`	vulnerable	2026-06-03 14:32:51.413766	Details available Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter. Published: 2013-10-24T10:00:00.000Z Updated: 2024-09-16T16:38:33.769Z Open on db.gcve.eu Reference links https://bugzilla.mozilla.org/show_bug.cgi?id=924802 http://www.bugzilla.org/security/4.0.10/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1734`	vulnerable	2026-06-03 14:32:51.316668	Details available Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that commit an attachment change via an update action. Published: 2013-10-24T10:00:00.000Z Updated: 2024-09-17T02:00:32.904Z Open on db.gcve.eu Reference links https://bugzilla.mozilla.org/show_bug.cgi?id=913904 http://www.bugzilla.org/security/4.0.10/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.