CVSS: 6.8EPSS: 5%CPEs: 1EXPL: 2CVE-2006-6919 – Sage 1.3.6 - Input Validation
https://notcve.org/view.php?id=CVE-2006-6919
Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary Javascript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script. Extensión Sage de Firefox 1.3.8 y versiones anteriores permite a atacantes remotos ejecutar código JavaScript de su elección en el contexto local mediante una entrada RSS con una etiqueta img conteniendo el scirpt seguido por un extra ">" final, que Sage modifica para cerrar el elemento img antes del script maligno. • https://www.exploit-db.com/exploits/28501 http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2 http://secunia.com/advisories/22809 http://www.securityfocus.com/archive/1/452010/100/0/threaded http://www.vupen.com/english/advisories/2006/4426 https://exchange.xforce.ibmcloud.com/vulnerabilities/30179 •
CVSS: 6.8EPSS: 8%CPEs: 1EXPL: 2CVE-2006-4712
https://notcve.org/view.php?id=CVE-2006-4712
Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read arbitrary local files, aka "Cross Context Scripting." Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Sage 1.3.6 permite a un atacante remoto inyectar secuencias de comandos web o HTMl de su elección a través de JavaScript en un contenido: elemento codificado dentro de un elemento del artículo en un alimentador RSS, como quedo demostrado por cuatrp ejemplos: elementos codificados que utilizaban XMLHttpRequest para leer archivos locales arbitrarios, también conocidos como “secuencia de comandos de sitios cruzados” . • http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml http://secunia.com/advisories/21839 http://securityreason.com/securityalert/1558 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite http://www.securityfocus.com/archive/1/445648/100/0/threaded http://www.securityfocus.com/bid/19928 http://www.snellspace.com/wp/?p=410 http://www.snellspace.com/wp/?p=448 http://ww • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2006-4711
https://notcve.org/view.php?id=CVE-2006-4711
Multiple cross-site scripting (XSS) vulnerabilities in Sage allow remote attackers to inject arbitrary web script or HTML via an Atom 1.0 feed, as demonstrated by certain test cases of the James M. Snell Atom 1.0 feed reader test suite. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Sage permite a un atacante remoto inyectar secuencias de comandos web o HTML de su elección a través del alimentador Atom 1.0, según lo demostrado por en cierto casos deprueba de la suite de prueba del lector James M. Snell Atom 1.0. • http://mozdev.org/bugs/show_bug.cgi?id=15101 http://www.snellspace.com/wp/?p=410 http://www.snellspace.com/wp/?p=448 •
CVSS: 5.0EPSS: 3%CPEs: 1EXPL: 3CVE-2003-1242 – Sage 1.0 Beta 3 - Content Management System Full Path Disclosure
https://notcve.org/view.php?id=CVE-2003-1242
Sage 1.0 b3 allows remote attackers to obtain the root web server path via a URL request for a non-existent module, which returns the path in an error message. • https://www.exploit-db.com/exploits/22269 http://archives.neohapsis.com/archives/bugtraq/2003-02/0236.html http://www.iss.net/security_center/static/11372.php http://www.securityfocus.com/bid/6893 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2003-1243 – Sage 1.0 Beta 3 - Content Management System Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2003-1243
Cross-site scripting vulnerability (XSS) in Sage 1.0 b3 allows remote attackers to insert arbitrary HTML or web script via the mod parameter. • https://www.exploit-db.com/exploits/22270 http://archives.neohapsis.com/archives/bugtraq/2003-02/0236.html http://www.securityfocus.com/bid/6894 https://exchange.xforce.ibmcloud.com/vulnerabilities/11371 •