CVE-2007-0896

Sage <1.3.10 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a "<SCRIPT/=''SRC='" sequence in an RSS feed, a different vulnerability than CVE-2006-4712.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Fukumori · xmlremotemultiple

https://www.exploit-db.com/exploits/29573

View Code ZIP pw:eip

References (8)

[Vendor Advisory] http://jvn.jp/jp/JVN%2384430861/index.html

[Various Sources] http://mozdev.org/bugs/show_bug.cgi?id=16320

[Various Sources] http://sage.mozdev.org/blog/archives/2007/1/sage_1_3_10_released.html

[Vendor Advisory] http://secunia.com/advisories/24086

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/32395

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/22493

[Third Party Advisory, VDB Entry] http://osvdb.org/33131

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1017624

Scores

EPSS 0.0932

EPSS Percentile 92.6%

Classification

CWE

CWE-79

Status draft

Affected Products (4)

mozilla/firefox

sage/sage

sage/sage

sage/sage

Timeline

Published Feb 13, 2007

Tracked Since Feb 18, 2026