CVE-2011-1158 in Universal Feed Parser
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2025
The CVE-2011-1158 vulnerability represents a critical cross-site scripting flaw in the Universal Feed Parser library, specifically affecting versions 5.x prior to 5.0.1. This vulnerability resides in the feedparser.py component and demonstrates how feed parsing libraries can become attack vectors for web-based malicious code execution. The issue manifests when the parser encounters unexpected URI schemes within feed content, creating a pathway for remote attackers to inject arbitrary web scripts or HTML code into vulnerable applications that utilize this library for feed processing.
The technical exploitation of this vulnerability occurs through the manipulation of URI schemes within feed data, with the javascript: URI serving as the primary demonstration vector. When the Universal Feed Parser encounters such a URI scheme during feed processing, it fails to properly sanitize or validate the input before incorporating it into the parsed output. This improper handling allows attackers to inject malicious JavaScript code that executes in the context of the victim's browser when the feed content is displayed. The vulnerability specifically targets the feed parsing logic that should validate and normalize URI schemes but instead passes through untrusted input directly to the output stream, creating a classic XSS attack surface.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, redirection to malicious sites, and data exfiltration. Applications that rely on Universal Feed Parser for aggregating RSS or Atom feeds become vulnerable to these attacks when they display feed content without additional sanitization. The vulnerability affects any system that processes feeds from untrusted sources, making it particularly dangerous in content management systems, news aggregators, and social media platforms that consume external feeds. Attackers can craft malicious feed entries containing javascript: URIs that execute when users view the feed content, potentially compromising user sessions and exposing sensitive information.
This vulnerability maps directly to CWE-79, which describes Cross-Site Scripting flaws in software applications, and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript. The weakness stems from inadequate input validation and output encoding practices within the feed parsing library, where URI schemes are not properly sanitized before being included in the parsed output. Organizations using affected versions of Universal Feed Parser should immediately upgrade to version 5.0.1 or later, which implements proper URI scheme validation and sanitization. Additional mitigations include implementing Content Security Policy headers, sanitizing feed content before display, and employing web application firewalls to detect and block suspicious URI patterns. The vulnerability also underscores the importance of validating all external input in feed processing systems and demonstrates how seemingly benign parsing operations can become security risks when proper sanitization controls are not implemented.