Published:2007/02/09  Last Updated:2008/05/21

Sage vulnerable to arbitrary script execution


Sage is an RSS and Atom feed reader extension for Mozilla Firefox. If a malicious script is embedded in an RSS feed, Sage does not properly handle the data, which may allow an arbitrary script to be executed on a user's web browser.

Products Affected

  • Sage 1.3.9 and earlier
This vulnerability affects Sage++ as well.
As of February 9, 2007, Sage++ is no longer available and is no longer being updated. It is recommended that Sage++ users use the latest version of Sage.



An arbitrary script may be executed on Mozilla Firefox. For example, local files could be accessed.


Vendor Status


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.02.09

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures


Daiki Fukumori of Secure Sky Technology, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
JVN iPedia JVNDB-2007-000134

Update History