even just discussing this subject here, even without your companies name, URL or other information, could be construed as a security breach!

Yes it could. It would have been better if he posted anonymously, but this shouldn't be his main concern. The vast majority of people who exploit these vulnerabilities know how to find them on their own. This does little to reduce the security of his web app.

As for informing your boss, I wouldn't make a big deal about it. Fix it, tell him you fixed a security problem, and suggest measures that would prevent the situation from arising in the future (secure programming standards, security audits, etc).