CVE-2006-2420
Last modified
CVE-2006-2420 is a vulnerability of currently unknown severity. Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as ">", which are automatically decoded by some RSS readers. NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers. EPSS estimates a 1.54% chance of exploitation in the next 30 days.
Description
Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as ">", which are automatically decoded by some RSS readers. NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers. While this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Bugzilla | 2.20 |
| Mozilla | Bugzilla | 2.21 |
| Mozilla | Bugzilla | 2.21.1 |
References
- http://secunia.com/advisories/18979Patch, Vendor Advisory
- http://www.bugzilla.org/security/2.18.4Patch, Vendor Advisory
- http://secunia.com/advisories/18979Patch, Vendor Advisory
- http://www.bugzilla.org/security/2.18.4Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2006-2420?
How severe is CVE-2006-2420?
How do I fix CVE-2006-2420?
Are you affected by CVE-2006-2420?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST