Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI.
| Type | CWE ID | Description |
|---|---|---|
| text | N/A | n/a |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| http://www.securityfocus.com/bid/45982 | vdb-entry x_refsource_BID |
| http://secunia.com/advisories/43165 | third-party-advisory x_refsource_SECUNIA |
| http://www.bugzilla.org/security/3.2.9/ | x_refsource_CONFIRM |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html | vendor-advisory x_refsource_FEDORA |
| http://www.vupen.com/english/advisories/2011/0271 | vdb-entry x_refsource_VUPEN |
| http://secunia.com/advisories/43033 | third-party-advisory x_refsource_SECUNIA |
| http://www.vupen.com/english/advisories/2011/0207 | vdb-entry x_refsource_VUPEN |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html | vendor-advisory x_refsource_FEDORA |
| http://osvdb.org/70704 | vdb-entry x_refsource_OSVDB |
| https://bugzilla.mozilla.org/show_bug.cgi?id=628034 | x_refsource_CONFIRM |
| http://www.debian.org/security/2011/dsa-2322 | vendor-advisory x_refsource_DEBIAN |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/65005 | vdb-entry x_refsource_XF |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|