Description
Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the (1) summary or (2) real name field. NOTE: this issue exists because of an incomplete fix for CVE-2012-4189.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Mateusz Goik · textwebappscgi
https://www.exploit-db.com/exploits/38807
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=924932
Vendor Advisory x_refsource_confirm
http://www.bugzilla.org/security/4.0.10/
Scores
EPSS
0.0090
EPSS Percentile
75.8%
Details
CWE
CWE-79
Status
published
Products (15)
mozilla/bugzilla
4.1
mozilla/bugzilla
4.1.1
mozilla/bugzilla
4.1.2
mozilla/bugzilla
4.1.3
mozilla/bugzilla
4.3
mozilla/bugzilla
4.3.1
mozilla/bugzilla
4.3.2
mozilla/bugzilla
4.3.3
mozilla/bugzilla
4.2 (3 CPE variants)
mozilla/bugzilla
4.2.1
... and 5 more
Published
Oct 24, 2013
Tracked Since
Feb 18, 2026