CVE-2006-4712

Name of the Vulnerable Software and Affected Versions Sage version 1.3.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed. This can be used to read arbitrary local files, as demonstrated by example content:encoded elements that utilize XMLHttpRequest.

Recommendations For Sage version 1.3.6, consider disabling the processing of JavaScript within content:encoded elements in RSS feeds as a temporary workaround until a patch is available. Restrict access to sensitive local files to minimize the risk of exploitation.