A Bugzilla Security Advisory reports:
The following security issues have been discovered in Bugzilla:
- Internet Explorer 8 and older, and Safari before 5.0.6 do
content sniffing when viewing a patch in "Raw Unified" mode,
which could trigger a cross-site scripting attack due to
the execution of malicious code in the attachment.
- It is possible to determine whether or not certain group
names exist while creating or updating bugs.
- Attachment descriptions with a newline in them could lead
to the injection of crafted headers in email notifications sent
to the requestee or the requester when editing an attachment
flag.
- If an attacker has access to a user's session, he can modify
that user's email address without that user being notified
of the change.
- Temporary files for uploaded attachments are not deleted
on Windows, which could let a user with local access to
the server read them.
- Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised,
it can be used to inject HTML code when viewing a bug report,
leading to a cross-site scripting attack.
All affected installations are encouraged to upgrade as soon as
possible.