The Fizzle add-on for Mozilla Firefox contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate RSS feed data upon converting HTML entity code back into ASCII equivalents. This could allow a user to create a specially crafted feed that would execute untrusted code in a user's browser within a trusted context of the browser, leading to a loss of integrity.

Mozilla has removed the add-on page for this extension, however Google cache shows that the author of the extension had posted a notice verifying the vulnerability.

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
- Do not subscribe to untrusted XML feeds
- Disallow HTML within an XML feed if the option is present.

• CVE ID: 2007-1678 (see also: NVD)
• Bugtraq ID: 23144
• Secunia Advisory ID: 24654
• ISS X-Force ID: 33227
• VUPEN Advisory: ADV-2007-1112
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0369.html
• Vendor URL: https://addons.mozilla.org/firefox/1307/
• Keyword: RSS

• CrYpTiC MauleR - crypticmauleryahoo.com -