CVE-2002-0010 — Mozilla Bugzilla vulnerability

5 documents5 sources

Severity

7.5HIGHNVD

EPSS

3.7%

top 12.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedJan 31

Latest updateApr 30

Description

Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDmozilla/bugzilla2.14.1

Patches

Patch: archives.neohapsis.com ↗Patch: archives.neohapsis.com ↗

🔴Vulnerability Details

GHSA

GHSA-c3r4-83qf-6cq7: Bugzilla before 2↗2022-04-30

▶

CVEList

CVE-2002-0010: Bugzilla before 2↗2002-01-10

▶

📋Vendor Advisories

Red Hat

security flaw↗2002-01-05

▶

💬Community

Bugzilla

CVE-2002-0010 security flaw↗2018-08-16

▶