Philor

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 46.0 Firefox ESR versions 38.x prior to 38.8 Firefox ESR versions 45.x prior to 45.1 **Description** The issue is related to multiple unspecified vulnerabilities in the browser engine, potentially allowing remote attackers to cause a denial of service, such as memory corruption and application crash, or possibly execute arbitrary code. The vulnerabilities are caused by a buffer overflow. **Recommendations** For Mozilla Firefox versions prior to 46.0, update to version 46.0 or later. For Firefox ESR versions 38.x prior to 38.8, update to version 38.8 or later. For Firefox ESR versions 45.x prior to 45.1, update to version 45.1 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.20rc1 through 2.20 and 2.21.1 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences, such as `>`, which are automatically decoded by some RSS readers. This is due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers, rather than a flaw in Bugzilla itself. **Recommendations** For Bugzilla versions 2.20rc1 through 2.20 and 2.21.1, consider disabling the use of RSS 1.0 feeds until the issue is resolved, or restrict access to RSS feeds to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bugzilla version 2.16.10 **Description** The issue arises from improper handling of certain characters in the `maxpatchsize` and `maxattachmentsize` parameters in the attachment.cgi script, allowing remote attackers to trigger a SQL error. **Recommendations** For Bugzilla version 2.16.10, consider restricting access to the attachment.cgi script until a proper fix is applied, and avoid using the `maxpatchsize` and `maxattachmentsize` parameters in a way that could trigger SQL errors.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 1.0.1 Thunderbird versions prior to 1.0.1 Mozilla versions prior to 1.7.6 **Description** The issue allows remote attackers to spoof the hostname of the host performing the installation via a long `user:pass` sequence in the URL. This sequence appears before the real hostname in the installation confirmation dialog. **Recommendations** For Firefox versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. For Thunderbird versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. For Mozilla versions prior to 1.7.6, update to version 1.7.6 or later to resolve the issue.