14 DAY TRIAL // Bugzilla is one of the most useful services on the Internet because it allows developers or companies to track their application and find out bugs or other vulnerabilities in order to fix them or at least to announce a solution to avoid exploitation. At this time, the solution is used by a lot of software developers, being available for free using a simple web based interface.
Although the service tracks bugs and vulnerabilities, it seems like the product isn't avoided by them, Secunia announcing a security flaw that can allow an attacker to execute cross-site exploitations. The company rated the vulnerability as less critical and sustained the affected versions of the service are 2.20.4, 2.22.2, and 2.23.4.
"Input passed to certain fields (e.g. the realname field) is not properly sanitized before being used to generate Atom feeds. This can be exploited to execute arbitrary HTML and script code in a user's atom feed reader in context of an affected site," security company Secunia sustained in the advisory.
The same firm issued a security advisory to inform users about the presence of the vulnerability, mentioning the only solution to avoid potential exploitation of the security flaw is to update to version 2.20.4, 2.22.2, or 2.23.4.
Bugzilla also posted an official announcement on the page, sustaining the vulnerabilities were fixed and provided more information about the patches included in the latest version: "A possible cross-site scripting (XSS) vulnerability in Atom feeds produced by Bugzilla; Web server settings given by Bugzilla which provide security settings to protect data files from access via the web are overridden by the mod_perl startup script when running under mod_perl (development snapshot only)."
If you want to track bugs from your own application or find the latest information about multiple software solution, you can visit the official page of the Bugzilla solution available here.