A Bugzilla Security Advisory reports:
The following security issues have been discovered in
Bugzilla:
- Due to a lack of validation of the enctype form attribute
when making POST requests to xmlrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious HTML code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the XML-RPC API on a site running
mod_perl. Sites running under mod_cgi are not affected.
Also, the user would have had to be already logged in to the
target site for the vulnerability to work.
All affected installations are encouraged to upgrade as soon
as possible.