Cross-Site Request Forgery
When a user submits changes to a bug right after another
user did, a midair collision page is displayed to inform
the user about changes recently made. This page contains
a token which can be used to validate the changes if the
user decides to submit his changes anyway. A regression
in Bugzilla 4.4 caused this token to be recreated if a
crafted URL was given, even when no midair collision page
was going to be displayed, allowing an attacker to bypass
the token check and abuse a user to commit changes on his
behalf.
Cross-Site Request Forgery
When an attachment is edited, a token is generated to
validate changes made by the user. Using a crafted URL,
an attacker could force the token to be recreated,
allowing him to bypass the token check and abuse a user
to commit changes on his behalf.
Cross-Site Scripting
Some parameters passed to editflagtypes.cgi were not
correctly filtered in the HTML page, which could lead
to XSS.
Cross-Site Scripting
Due to an incomplete fix for CVE-2012-4189, some
incorrectly filtered field values in tabular reports
could lead to XSS.