CVE-2010-4569

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1. The flaw resides in the user account real name field (real_name), which is not properly sanitized before being processed by the YUI AutoComplete widget. This allows an attacker to inject arbitrary web script or HTML into the field, which is later executed in the browsers of other users viewing autocomplete suggestions [1][2].

Exploitation

An attacker must have a valid Bugzilla user account and be able to edit their own real name field (or leverage a user with such privileges). The injected payload is then triggered when another user types in a field that uses the autocomplete functionality, causing the victim's browser to render the malicious script. No additional user interaction beyond normal usage is required [1][2].

Impact

Successful exploitation results in arbitrary script execution in the context of the victim's Bugzilla session, potentially leading to session hijacking, data theft, or other actions the victim can perform. The attack primarily affects the confidentiality and integrity of user sessions [1][2].

Mitigation

The vulnerability is fixed in Bugzilla 4.0rc2, released on January 24, 2011. Users of affected versions should upgrade to 4.0rc2 or later. For installations that cannot upgrade immediately, disabling the autocomplete feature or applying input validation patches to the real_name field may serve as a temporary workaround [1][2].