SYM_GEN_0012 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
When translated strings are rendered in templates without explicit escaping, malicious code (like script tags) can be inserted via translation files. This exposes the application to untrusted content being rendered as HTML.
Impact
If exploited, attackers or compromised translation contributors could inject scripts into pages, leading to cross-site scripting (XSS) attacks. This can result in data theft, user session hijacking, or compromise of user accounts and application integrity.