SYM_GEN_0007 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The template uses the '| safe' filter in Flask to disable autoescaping, which allows raw HTML to be rendered. If any user-supplied data is passed through this filter, it can lead to cross-site scripting (XSS) vulnerabilities.
Impact
If exploited, an attacker could inject malicious scripts into the page, allowing them to steal user data, hijack sessions, or perform actions on behalf of users. This can compromise user accounts and damage the application's reputation.