The changelog notes the following security fixes: - Fix XSS issue in handling attachment filename extension in mimetype mismatch warning - Fix possible SQL injection via some session variables Reproducible: Always
*** This bug has been marked as a duplicate of bug 824918 ***