It was reported that it was possible for a remote attacker to cause Bugzilla to inject both headers and content to any browser that supported "Server Push" (mostly Gecko-based browser such as Firefox) by inserting a certain string into a URL. This could lead to XSS vulnerabilities or possibly other more dangerous security issues as well. This issue has been assigned the name CVE-2010-3172 and is corrected in upstream stable releases 3.2.9, 3.4.9, and 3.6.3. References: http://www.bugzilla.org/security/3.2.8/ https://bugzilla.mozilla.org/show_bug.cgi?id=600464
Created bugzilla tracking bugs for this issue Affects: fedora-all [bug 649406]