Sage extension for Mozilla Firefox RSS feed cross-site scripting
|sage-rssfeed-xss (32395)||Medium Risk|
Sage extension for Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when processing RSS feeds. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Upgrade to the latest version of Sage (1.3.10 or later), available from the Sage Web site. See References.
- JVN#84430861: Sage.
- mozdev.org Bugzilla Bug 16320: content filter exploit.
- Sage Web site: Sage: a feed reader for Firefox.
- BID-22493: Sage Extension Feed HTML Injection Vulnerability
- CVE-2007-0896: Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a