CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
89.5%
Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows remote
attackers to conduct cross-site scripting (XSS) attacks via a title element
with HTML encoded sequences such as “>”, which are automatically decoded
by some RSS readers. NOTE: this issue is not in Bugzilla itself, but
rather due to design or documentation inconsistencies within RSS, or
implementation vulnerabilities in RSS readers. While this issue normally
would not be included in CVE, it is being identified since the Bugzilla
developers have addressed it.