Bugzilla contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'real name' field of a user account before returning it to the user when using the YUI AutoComplete widget, which renders textual data as HTML markup. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Upgrade to version 4.0rc2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2010-4569 (see also: NVD)
• Secunia Advisory ID: 43162 46364
• Bugtraq ID: 45982
• VUPEN Advisory: ADV-2011-0207
• Mail List Post: http://seclists.org/fulldisclosure/2011/Oct/478
• Vendor Specific News/Changelog Entry: http://www.bugzilla.org/security/3.2.9/
  http://www.gentoo.org/security/en/glsa/glsa-201110-03.xml
  https://bugzilla.mozilla.org/show_bug.cgi?id=619637
• Other Advisory URL: http://yuilibrary.com/forum/viewtopic.php?p=12923
  http://yuilibrary.com/projects/yui2/ticket/2529228
• Vendor Specific Advisory URL: http://yuilibrary.com/projects/yui2/ticket/2529228

• jkl
• Reed Loden