Vulnerability Description
Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary Javascript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sage-Mozdev | Sage | <= 1.3.8 |
References
- http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/Exploit
- http://secunia.com/advisories/22809PatchVendor Advisory
- http://www.securityfocus.com/archive/1/452010/100/0/threaded
- http://www.vupen.com/english/advisories/2006/4426
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30179
- http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/Exploit
- http://secunia.com/advisories/22809PatchVendor Advisory
- http://www.securityfocus.com/archive/1/452010/100/0/threaded
- http://www.vupen.com/english/advisories/2006/4426
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30179
FAQ
What is CVE-2006-6919?
CVE-2006-6919 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary Javascript in the local context via an RSS feed with an img tag containing the script followed by an extra trailin...
How severe is CVE-2006-6919?
CVE-2006-6919 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2006-6919?
Check the references section above for vendor advisories and patch information. Affected products include: Sage-Mozdev Sage.