Sage extension for Mozilla Firefox RSS feed cross-site scripting
| sage-rssfeed-xss (32395) |
Description:
Sage extension for Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when processing RSS feeds. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Platforms Affected:
- Mozilla, Sage Extension 1.3.9
Remedy:
Upgrade to the latest version of Sage (1.3.10 or later), available from the Sage Web site. See References.
Consequences:
Gain Access
References:
- JVN#84430861, Sage at http://jvn.jp/en/jp/JVN84430861/index.html.
- mozdev.org Bugzilla Bug 16320, content filter exploit at http://mozdev.org/bugs/show_bug.cgi?id=16320.
- Sage Web site, Sage: a feed reader for Firefox at http://sage.mozdev.org/.
- BID-22493: Sage Extension Feed HTML Injection Vulnerability
- CVE-2007-0896: Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a
