A vulnerability has been reported in Bugzilla, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
When abusing the X-FORWARDED-FOR header, an attacker could bypass the lockout policy allowing a possible brute-force discovery of a valid user password.
An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page.
Cross Site Scripting From Remote
Update to version 3.6.9, 4.0.6, or 4.2.1, available at Bugzilla Downloads