CVE-2006-2420

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.20rc1 through 2.20 and 2.21.1

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a title element with HTML encoded sequences, such as >, which are automatically decoded by some RSS readers. This is due to design or documentation inconsistencies within RSS, or implementation vulnerabilities in RSS readers, rather than a flaw in Bugzilla itself.

Recommendations For Bugzilla versions 2.20rc1 through 2.20 and 2.21.1, consider disabling the use of RSS 1.0 feeds until the issue is resolved, or restrict access to RSS feeds to minimize the risk of exploitation.