CVE-2010-4570

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the duplicate-detection functionality of Bugzilla versions 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 [1][2]. The bug resides in the short_desc (summary) field when it is displayed in the "possible duplicates" table. The YUI DataTable widget used to render the table does not properly encode the summary, allowing injection of arbitrary web script or HTML [2]. An attacker can submit a new bug with a malicious payload in the summary field.

Exploitation

To exploit, an attacker must have an account and submit a bug with a crafted summary containing JavaScript. When another user (e.g., a bug triager) views the bug list or uses the duplicate detection feature, the unescaped summary is rendered by the DataTable widget, executing the injected script [2]. No additional user interaction beyond viewing the affected page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's Bugzilla session. This can lead to theft of session cookies, performing actions on behalf of the victim, or accessing sensitive data displayed in the interface. The attack is limited to the scope of the victim's privileges within the Bugzilla installation [2].

Mitigation

The vulnerability is fixed in Bugzilla 4.0rc2, as well as in the stable releases 3.2.10, 3.4.10, and 3.6.4 [1]. Users running affected versions should upgrade immediately. There is no known workaround besides disabling the duplicate detection feature, which may not be feasible. The issue is addressed in the YUI library update included in the fix [2].