Hello, -Description: My name is Hamza Bettache and i'm a web apps security researcher,today i've found an xss vulnerability on bugzilla.mozilla.org ,i'll demonstrate it on landfill.bugzilla.org wich is the bugzilla test server. the vulnerability happens when we inject our payload in a html file as an attachement file and while adding it we change its form to Html Source (text/html) -Steps to reproduce the vulnerability: 1-go to https://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi and fill in a new bug in our exemple i've filled a bug here : https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=26526, and go down click on 'Add an attachment' we select our html file wich contains the folowing payload: <script>alert("xss found by Hamza Bettache");</script> "><svg/onload=prompt(document.domain)> we fill in the file 'Description' because it's required and change the file from to Html Source(text/html) and then we click on submit we get an attached file : https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=3982 wich can be executed on a logged-in and logged-out users. here's a POC (proof of concept) : https://www.youtube.com/watch?v=gkZ9bXgr8LE&feature=youtu.be in the end of report i want to apologize because i've already tested the bug on bugzilla.mozilla.org before testing it on landfill.bugzilla.org because i didn't know that there's a testing server,here's a POC (link) : https://bugzilla.mozilla.org/attachment.cgi?id=8567066 the attached file is a screen capture after executing the bug on the both domains. i hope you'll fix it as soon as possible. regards... Hamza.

Quoting from another bug: As bugzilla.mozilla.org is used to track browser development, it would be high detrimental to productivity if we always rendered attachments as text/plain. Instead we serve attachments from a different subdomain; they don't have access to bugzilla's cookies.

it's not only about cookies it can be used a an open redirector

open redirector isn't a valid bug here ?

check the following link : https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=3984

Please don't reopen. XSS includes cooked, redirecting and anything else you can do with javascript. This bug is the same as bug 1094540, which was also duped to the other bug.