CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50346 – WebFeed HTML injection vulnerabilities
https://notcve.org/view.php?id=CVE-2024-50346
WebFeed is a lightweight web feed reader extension for Firefox/Chrome. Multiple HTML injection vulnerabilities in WebFeed can lead to CSRF and UI spoofing attacks. A remote attacker can provide malicious RSS feeds and attract the victim user to visit it using WebFeed. The attacker can then inject malicious HTML into the extension page and fool the victim into sending out HTTP requests to arbitrary sites with the victim's credentials. Users are vulnerable to CSRF attacks when visiting malicious RSS feeds via WebFeed. • https://github.com/taoso/webfeed/commit/a2d1c1c3a98f30e0bd7a1bbcb746fae484985e6d https://github.com/taoso/webfeed/security/advisories/GHSA-mrc7-2q3w-48j8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •