RSSOwl Atom Feed Script HTML Injection Vulnerability

RSSOwl is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the My Computer folder, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to RSSOwl 1.2.3 are vulnerable.


 

Privacy Statement
Copyright 2010, SecurityFocus