Mozilla Firefox Wizz RSS News Reader Extension RSS feed cross-site scripting

firefox-wizz-rssfeed-xss (33693) The risk level is classified as MediumMedium Risk

Description:

The Mozilla Firefox Wizz RSS News Reader Extension could allow a remote attacker to bypass cross-domain security restrictions and execute arbitrary script on a victim's system, caused by the improper validation of user-supplied input when processing RSS feeds. A remote attacker could exploit this vulnerability to execute code in the "chrome:" context, if the attacker could persuade the victim to load a specially-crafted RSS feed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Platforms Affected:

  • Mike Kroger, Wizz RSS News Reader 2.1.8

Remedy:

Upgrade to the latest version of Mozilla Firefox Wizz RSS News Reader Extension (2.1.9 or later), available from the Mozilla Web site. See References.

Consequences:

Gain Access

References:

  • Mozilla Web site, Wizz RSS News Reader at https://addons.mozilla.org/en-US/firefox/addon/424.
  • BID-23523: Wizz RSS Reader Cross Zone Scripting Vulnerability
  • CVE-2007-2060: Cross-zone scripting vulnerability in the Wizz RSS Reader before 2.1.9 extension to Mozilla Firefox allows remote attackers to execute arbitrary Javascript in the browser chrome via the RSS feed DOM.
  • SA24913: Mozilla Firefox Wizz RSS News Reader Extension Cross-Context Scripting
  • US-CERT VU#319464: The Wizz RSS Reader chrome access vulnerability
  • VUPEN/ADV-2007-1425: Wizz RSS News Reader Feed Handling Remote Chrome Code Execution Vulnerability

Reported:

Apr 17, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page