A Bugzilla Security Advisory reports:
This advisory covers three security issues that have recently been
fixed in the Bugzilla code:
- A weakness in Bugzilla could allow a user to gain unauthorized
access to another Bugzilla account.
- A weakness in the Perl CGI.pm module allows injecting HTTP
headers and content to users via several pages in Bugzilla.
- If you put a harmful "javascript:" or "data:" URL into
Bugzilla's "URL" field, then there are multiple situations in
which Bugzilla will unintentionally make that link clickable.
- Various pages lack protection against cross-site request
forgeries.
All affected installations are encouraged to upgrade as soon as
possible.