CVE-2006-2420

EPSS 0.69%
Published 16.05.2006 10:02:00
Last modified 03.04.2025 01:03:51
Source cve@mitre.org
Teams watchlist Login
Open Login

Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as ">", which are automatically decoded by some RSS readers.  NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers.  While this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it.

Affected products Warnungen 0 Metrics 2 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Mozilla ≫ Bugzilla Version2.20

Mozilla ≫ Bugzilla Version2.20 Updaterc1

Mozilla ≫ Bugzilla Version2.20 Updaterc2

Mozilla ≫ Bugzilla Version2.21

Mozilla ≫ Bugzilla Version2.21.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.69%	0.707

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://marc.info/?l=bugtraq&m=112818466125484&w=2

http://secunia.com/advisories/18979

Patch

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=313441

Patch

http://www.bugzilla.org/security/2.18.4

Patch

Vendor Advisory

http://www.osvdb.org/23379

https://exchange.xforce.ibmcloud.com/vulnerabilities/24820

https://nvd.nist.gov/vuln/detail/CVE-2006-2420

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2006-2420

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2006-2420

EUVD