25 matches found
[Full-disclosure] RSS Injection in Sage part 2
RSS Injection is Sage part 2 2 months ago, both pdp and myself released a vulnerability and proof of concept exploit for Sage. see: http://michaeldaw.org/md-hacks/cross-context-scripting-with-sage/. This issue was resolved in Sage release 1.3.7 http://mozdev.org/bugs/showbug.cgi?id=15101. I found...
Firefox Sage扩展RSS Feed脚本注入漏洞
sage是Firefox的一个灵巧的RSS和Atom feed聚合扩展。 sage在处理RSS feed中的内容标签时存在输入验证错误,远程攻击者可能利用此漏洞在用户机器上执行恶意代码。 如果用户受骗添加了恶意的RSS feed并浏览了其内容的话,就会导致在本地环境中注入并执行任意HTML和脚本代码。 Mozine Sage 1.3.6 厂商补丁: Mozine ------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://addons.mozine.org/extensions/moreinfo.php?id=12%22...
CVE-2006-4712
Multiple cross-site scripting XSS vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read...
CVE-2006-4712
Multiple cross-site scripting XSS vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read...
Sage 1.3.6 - Input Validation
Sage 1.3.6 - Input Validation source: https://www.securityfocus.com/bid/19928/info The application is prone to an input-validation vulnerability that allows malicious HTML and script code to be injected before it is used in dynamically generated content. Attacker-supplied HTML and script code wou...