Arch Linux Security Advisory ASA-201605-25 ========================================== Severity: Medium Date : 2016-05-19 CVE-ID : CVE-2016-2803 Package : bugzilla Type : cross-site scripting Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package bugzilla before version 5.0.3-1 is vulnerable to cross-site scripting. Resolution ========== Upgrade to 5.0.3-1. # pacman -Syu "bugzilla>=5.0.3-1" The problem has been fixed upstream in version 5.0.3. Workaround ========== None. Description =========== An attacker can craft a malicious summary within a bug report to host malicious javascript code. This code will be served to a user when he or she navigates to the bug's dependency graph. Impact ====== An attacker is able to submit a malicious bug report and execute arbitrary javascript code in the client's browser by using the bugzilla server as a pivot. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2803 https://bugzilla.mozilla.org/show_bug.cgi?id=1253263