Jouni Heikniemi

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.16.x through 2.16.5 Bugzilla versions 2.18 before 2.18rc1 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in various CGI scripts, including `editcomponents.cgi`, `editgroups.cgi`, `editmilestones.cgi`, `editproducts.cgi`, `editusers.cgi`, and `editversions.cgi`. These vulnerabilities allow remote attackers to execute arbitrary JavaScript as other users via a URL parameter. **Recommendations** For Bugzilla versions 2.16.x through 2.16.5, update to version 2.16.6 or later. For Bugzilla versions 2.18 before 2.18rc1, update to version 2.18rc1 or later. As a temporary workaround, consider restricting access to the vulnerable CGI scripts until a patch is available.

Name of the Vulnerable Software and Affected Versions: Bugzilla versions 2.16.x through 2.16.2 Bugzilla versions 2.17.x through 2.17.3 Description: The issue allows remote attackers to insert arbitrary HTML or web script via multiple default German and Russian HTML templates or ALT and NAME attributes in AREA tags as used by the GraphViz graph generation feature for local dependency graphs. Recommendations: For Bugzilla versions 2.16.x through 2.16.2, update to version 2.16.3 or later. For Bugzilla versions 2.17.x through 2.17.3, update to version 2.17.4 or later.

Name of the Vulnerable Software and Affected Versions: Bugzilla versions 2.16.x through 2.16.2 Bugzilla versions 2.17.x through 2.17.3 Bugzilla versions prior to 2.16.x Description: The issue allows local users to overwrite arbitrary files via a symlink attack on temporary files created in directories with group-writable or world-writable permissions. Recommendations: For Bugzilla versions 2.16.x through 2.16.2, update to version 2.16.3 or later. For Bugzilla versions 2.17.x through 2.17.3, update to version 2.17.4 or later. For Bugzilla versions prior to 2.16.x, update to version 2.16.3 or later.