CVE-2006-2420

2006-05-1610:02:00

CWE-79

mitre

web.nvd.nist.gov

cve-2006-2420

bugzilla

rss

xss

cross-site scripting

html encoding

vulnerability

security

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.6

Confidence

High

EPSS

0.021

Percentile

89.5%

JSON

Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences such as “>”, which are automatically decoded by some RSS readers. NOTE: this issue is not in Bugzilla itself, but rather due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers. While this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it.

Affected configurations

Nvd

Node

mozillabugzillaMatch2.20

mozillabugzillaMatch2.20rc1

mozillabugzillaMatch2.20rc2

mozillabugzillaMatch2.21

mozillabugzillaMatch2.21.1

VendorProductVersionCPE
mozillabugzilla2.20cpe:2.3:a:mozilla:bugzilla:2.20:*:*:*:*:*:*:*
mozillabugzilla2.20cpe:2.3:a:mozilla:bugzilla:2.20:rc1:*:*:*:*:*:*
mozillabugzilla2.20cpe:2.3:a:mozilla:bugzilla:2.20:rc2:*:*:*:*:*:*
mozillabugzilla2.21cpe:2.3:a:mozilla:bugzilla:2.21:*:*:*:*:*:*:*
mozillabugzilla2.21.1cpe:2.3:a:mozilla:bugzilla:2.21.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	bugzilla	2.20	cpe:2.3:a:mozilla:bugzilla:2.20:::::::*
mozilla	bugzilla	2.20	cpe:2.3:a:mozilla:bugzilla:2.20:rc1::::::
mozilla	bugzilla	2.20	cpe:2.3:a:mozilla:bugzilla:2.20:rc2::::::
mozilla	bugzilla	2.21	cpe:2.3:a:mozilla:bugzilla:2.21:::::::*
mozilla	bugzilla	2.21.1	cpe:2.3:a:mozilla:bugzilla:2.21.1:::::::*