The upstream advisory reads:

Issue 1
-------
Class:       Cross-Site Scripting
Versions:    2.17.1 and above
Description: Bugzilla does not properly escape the 'buildid' field in
             the guided form when filing bugs. From 2.17.1 till 2.23.3,
             this field was based exclusively on the User-Agent string
             returned by your web browser. Since 2.23.4, this parameter
             can be defined in the URL passed to enter_bug.cgi, overwriting
             the User-Agent string and may lead to cross-site scripting.
             The guided form is not usually used by Bugzilla installations,
             as it is shipped only as an example to be modified for their
             own use.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=386942

Issue 2
-------
Class:       Command Injection
Versions:    2.23.4 and above
Description: Bugzilla 2.23.4 and newer use the Email:: modules instead
             of the Mail:: and MIME:: ones. The argument passed to the -f
             option of Email::Send::Sendmail() is insufficiently escaped
             and may lead to limited command injection when called from
             email_in.pl, a script which was also introduced in 2.23.4.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=386860

Issue 3
-------
Class:       Information Leak
Versions:    2.23.3 and above
Description: Bugzilla's WebService (XML-RPC) interface allows you to access
             the time-tracking fields (such as Deadline, Estimated Time, etc.)
             on all bugs, even if you normally cannot access time-tracking
             fields.
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=382056