CVE-2009-1213 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1213): Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing.
quoting Mozilla: Versions: Every version before 3.2.3 or 3.3.4 Fixed In: 3.2.3, 3.3.4 Description: Attachment editing was vulnerable to a cross-site request forgery, because it did not validate that calls to attachment.cgi actually came from Bugzilla. Bugzilla now generates a token that is validated when an attachment is edited. Unfortunately, a fix for this issue was only possible for 3.2.3 and 3.3.4. Fixing it on earlier branches was not possible as attachment timestamps are not available to generate and validate tokens. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=476603
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
GLSA 201006-19