It was reported that it was possible for a remote attacker to cause Bugzilla to inject both headers and content to any browser that supported "Server Push" (mostly Gecko-based browser such as Firefox) by inserting a certain string into a URL. This could lead to XSS vulnerabilities or possibly other more dangerous security issues as well.
This issue has been assigned the name CVE-2010-3172 and is corrected in upstream stable releases 3.2.9, 3.4.9, and 3.6.3.
Created bugzilla tracking bugs for this issue
Affects: fedora-all [bug 649406]