FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-12-20 14:15:46 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
e135f0c9-375f-11e3-80b7-20cf30e32f6d	bugzilla -- multiple vulnerabilities A Bugzilla Security Advisory reports: Cross-Site Request Forgery When a user submits changes to a bug right after another user did, a midair collision page is displayed to inform the user about changes recently made. This page contains a token which can be used to validate the changes if the user decides to submit his changes anyway. A regression in Bugzilla 4.4 caused this token to be recreated if a crafted URL was given, even when no midair collision page was going to be displayed, allowing an attacker to bypass the token check and abuse a user to commit changes on his behalf. Cross-Site Request Forgery When an attachment is edited, a token is generated to validate changes made by the user. Using a crafted URL, an attacker could force the token to be recreated, allowing him to bypass the token check and abuse a user to commit changes on his behalf. Cross-Site Scripting Some parameters passed to editflagtypes.cgi were not correctly filtered in the HTML page, which could lead to XSS. Cross-Site Scripting Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered field values in tabular reports could lead to XSS. Discovery 2013-10-16 Entry 2013-10-17 Modified 2014-04-30 bugzilla >= 4.0.0 lt 4.0.11 bugzilla40 >= 4.0.0 lt 4.0.11 bugzilla42 >= 4.2.0 lt 4.2.7 bugzilla44 >= 4.4 lt 4.4.1 CVE-2013-1733 https://bugzilla.mozilla.org/show_bug.cgi?id=911593 CVE-2013-1734 https://bugzilla.mozilla.org/show_bug.cgi?id=913904 CVE-2013-1742 https://bugzilla.mozilla.org/show_bug.cgi?id=924802 CVE-2013-1743 https://bugzilla.mozilla.org/show_bug.cgi?id=924932
1c8a039b-7b23-11e2-b17b-20cf30e32f6d	bugzilla -- multiple vulnerabilities A Bugzilla Security Advisory reports: Cross-Site Scripting When viewing a single bug report, which is the default, the bug ID is validated and rejected if it is invalid. But when viewing several bug reports at once, which is specified by the format=multiple parameter, invalid bug IDs can go through and are sanitized in the HTML page itself. But when an invalid page format is passed to the CGI script, the wrong HTML page is called and data are not correctly sanitized, which can lead to XSS. Information Leak When running a query in debug mode, the generated SQL query used to collect the data is displayed. The way this SQL query is built permits the user to determine if some confidential field value (such as a product name) exists. This problem only affects Bugzilla 4.0.9 and older. Newer releases are not affected by this issue. Discovery 2013-02-19 Entry 2013-02-20 Modified 2013-03-31 bugzilla de-bugzilla ru-bugzilla ja-bugzilla >= 3.6.0 lt 3.6.13 >= 4.0.0 lt 4.0.10 >= 4.2.0 lt 4.2.5 CVE-2013-0785 https://bugzilla.mozilla.org/show_bug.cgi?id=842038 CVE-2013-0786 https://bugzilla.mozilla.org/show_bug.cgi?id=824399

VuXML ID

Description

e135f0c9-375f-11e3-80b7-20cf30e32f6d

bugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports:

Cross-Site Request Forgery

When a user submits changes to a bug right after another user did, a midair collision page is displayed to inform the user about changes recently made. This page contains a token which can be used to validate the changes if the user decides to submit his changes anyway. A regression in Bugzilla 4.4 caused this token to be recreated if a crafted URL was given, even when no midair collision page was going to be displayed, allowing an attacker to bypass the token check and abuse a user to commit changes on his behalf.

Cross-Site Request Forgery

When an attachment is edited, a token is generated to validate changes made by the user. Using a crafted URL, an attacker could force the token to be recreated, allowing him to bypass the token check and abuse a user to commit changes on his behalf.

Cross-Site Scripting

Some parameters passed to editflagtypes.cgi were not correctly filtered in the HTML page, which could lead to XSS.

Cross-Site Scripting

Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered field values in tabular reports could lead to XSS.

Discovery 2013-10-16
Entry 2013-10-17
Modified 2014-04-30
bugzilla

>= 4.0.0 lt 4.0.11

bugzilla40

>= 4.0.0 lt 4.0.11

bugzilla42

>= 4.2.0 lt 4.2.7

bugzilla44

>= 4.4 lt 4.4.1

CVE-2013-1733
https://bugzilla.mozilla.org/show_bug.cgi?id=911593
CVE-2013-1734
https://bugzilla.mozilla.org/show_bug.cgi?id=913904
CVE-2013-1742
https://bugzilla.mozilla.org/show_bug.cgi?id=924802
CVE-2013-1743
https://bugzilla.mozilla.org/show_bug.cgi?id=924932

1c8a039b-7b23-11e2-b17b-20cf30e32f6d

bugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports:

Cross-Site Scripting

When viewing a single bug report, which is the default, the bug ID is validated and rejected if it is invalid. But when viewing several bug reports at once, which is specified by the format=multiple parameter, invalid bug IDs can go through and are sanitized in the HTML page itself. But when an invalid page format is passed to the CGI script, the wrong HTML page is called and data are not correctly sanitized, which can lead to XSS.

Information Leak

When running a query in debug mode, the generated SQL query used to collect the data is displayed. The way this SQL query is built permits the user to determine if some confidential field value (such as a product name) exists. This problem only affects Bugzilla 4.0.9 and older. Newer releases are not affected by this issue.

Discovery 2013-02-19
Entry 2013-02-20
Modified 2013-03-31
bugzilla
de-bugzilla
ru-bugzilla
ja-bugzilla

>= 3.6.0 lt 3.6.13

>= 4.0.0 lt 4.0.10

>= 4.2.0 lt 4.2.5

CVE-2013-0785
https://bugzilla.mozilla.org/show_bug.cgi?id=842038
CVE-2013-0786
https://bugzilla.mozilla.org/show_bug.cgi?id=824399