https://bugzilla.redhat.com/show_bug.cgi?id=1295438 Bug ID: 1295438 Summary: CVE-2015-8509 bugzilla: information leak when parsing the CSV file Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@xxxxxxxxxx Reporter: mprpic@xxxxxxxxxx CC: bazanluis20@xxxxxxxxx, emmanuel@xxxxxxxxx, itamar@xxxxxxxxxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx Upstream Bugzilla fixed the following issue: If an external HTML page contains a <script> element with its src attribute pointing to a buglist in CSV format, some web browsers incorrectly try to parse the CSV file as valid JavaScript code. As the buglist is generated based on the privileges of the user logged into Bugzilla, the external page could collect confidential data contained in the CSV file. This issue was fixed in versions 4.2.16, 4.4.11, and 5.0.2. Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1232785 -- You are receiving this mail because: You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
