i-Systems Inc. Feedreader3 RSS Feed HTML-Injection Vulnerability

Bugtraq ID:	25849
Class:	Input Validation Error
CVE:	CVE-2007-5161
Remote:	Yes
Local:	No
Published:	Sep 28 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	Guy Mizrahi (ZuLL) is credited with the discovery of this vulnerability.
Vulnerable:	i-Systems Inc. Feedreader3 3.10
Not Vulnerable:

i-Systems Inc. Feedreader3 RSS Feed HTML-Injection Vulnerability

Feedreader3 is prone to an HTML-injection vulnerability.

Attacker-supplied HTML and script code could run in the context of the affected browser, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

This issue affects Feedreader3 3.10; other versions may also be affected.

i-Systems Inc. Feedreader3 RSS Feed HTML-Injection Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into subscribing to a malicious RSS feed.

i-Systems Inc. Feedreader3 RSS Feed HTML-Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

i-Systems Inc. Feedreader3 RSS Feed HTML-Injection Vulnerability

References:

• Feedreader3 Homepage (i-Systems Inc.)
  
• feedreader3 has XSS vulnerability (Guy Mizrahi)
  
• RE: feedreader3 has XSS vulnerability (avivra)