The upstream advisory reads: Issue 1 ------- Class: Cross-Site Scripting Versions: 2.17.1 and above Description: Bugzilla does not properly escape the 'buildid' field in the guided form when filing bugs. From 2.17.1 till 2.23.3, this field was based exclusively on the User-Agent string returned by your web browser. Since 2.23.4, this parameter can be defined in the URL passed to enter_bug.cgi, overwriting the User-Agent string and may lead to cross-site scripting. The guided form is not usually used by Bugzilla installations, as it is shipped only as an example to be modified for their own use. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=386942 Issue 2 ------- Class: Command Injection Versions: 2.23.4 and above Description: Bugzilla 2.23.4 and newer use the Email:: modules instead of the Mail:: and MIME:: ones. The argument passed to the -f option of Email::Send::Sendmail() is insufficiently escaped and may lead to limited command injection when called from email_in.pl, a script which was also introduced in 2.23.4. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=386860 Issue 3 ------- Class: Information Leak Versions: 2.23.3 and above Description: Bugzilla's WebService (XML-RPC) interface allows you to access the time-tracking fields (such as Deadline, Estimated Time, etc.) on all bugs, even if you normally cannot access time-tracking fields. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=382056
CVE identifiers for each of these bugs were requested.
*** This bug has been marked as a duplicate of 256021 ***