Sage extension for Mozilla Firefox RSS feed cross-site scripting

sage-rssfeed-xss (32395) The risk level is classified as MediumMedium Risk

Description:

Sage extension for Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when processing RSS feeds. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Platforms Affected:

  • Mozilla, Sage Extension 1.3.9

Remedy:

Upgrade to the latest version of Sage (1.3.10 or later), available from the Sage Web site. See References.

Consequences:

Gain Access

References:

  • JVN#84430861, Sage at http://jvn.jp/en/jp/JVN84430861/index.html.
  • mozdev.org Bugzilla Bug 16320, content filter exploit at http://mozdev.org/bugs/show_bug.cgi?id=16320.
  • Sage Web site, Sage: a feed reader for Firefox at http://sage.mozdev.org/.
  • BID-22493: Sage Extension Feed HTML Injection Vulnerability
  • CVE-2007-0896: Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a