CVE-2020-23054
Description
A cross-site scripting (XSS) vulnerability in NSK User Agent String Switcher Service v0.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the user agent input field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- NSK/User Agent String Switcher Servicedescription
- Range: =0.3.5
Patches
Vulnerability mechanics
Root cause
"Missing input validation and output encoding in the user agent input field allows injection of arbitrary script code."
Attack vector
An attacker crafts a malicious payload (e.g., `
Affected code
The vulnerability is located in the user agent input field of the User Agent String Switcher addon for Firefox. The malicious script code executes in the context of `window.navigator`, `ua-parser-js v0.7.19`, and `platform.js v1.3.3` when the user previews their custom user agent on the webbrowsertools.com service [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory recommends proper input validation and output encoding for the user agent input field to prevent script injection, but no fix commit or updated version has been published [ref_id=1].
Preconditions
- inputThe victim must have the User Agent String Switcher addon installed and visit the webbrowsertools.com test page after the attacker's payload has been set.
- inputThe attacker must be able to supply a crafted User-Agent string containing script code into the addon's input field.
- authThe victim must interact (click or switch tabs) to trigger the preview of the injected user agent on the test page.
Reproduction
1. Install the User Agent String Switcher addon in Firefox. 2. Open the addon and inject a script payload (e.g., `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.