CVE-2011-0048

Bugzilla < 3.2.10, 3.4.x < 3.4.10, 3.6.x < 3.6.4, 4.0.x < 4.0rc2 - Cross-Site Scripting via URL Field

Title source: llm
STIX 2.1

Description

Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI.

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/45982
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/43165
Vendor Advisory x_refsource_confirm
http://www.bugzilla.org/security/3.2.9/
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0271
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/43033
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0207
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/70704
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=628034
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2322
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/65005

Scores

EPSS 0.0179
EPSS Percentile 75.8%

Details

CWE
CWE-79
Status published
Products (45)
mozilla/bugzilla 2.0
mozilla/bugzilla 2.2
mozilla/bugzilla 2.4
mozilla/bugzilla 2.6
mozilla/bugzilla 2.8
mozilla/bugzilla 2.9
mozilla/bugzilla 2.10
mozilla/bugzilla 2.12
mozilla/bugzilla 2.14
mozilla/bugzilla 2.14.1
... and 35 more
Published Jan 28, 2011
Tracked Since Feb 18, 2026