SYM_GEN_0013 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
A template variable is being rendered with the '| safeseq' filter, which disables automatic HTML escaping. This means that any data passed to this variable will be rendered as raw HTML, making it unsafe if user input is included.
Impact
If untrusted user data is rendered without escaping, attackers could inject malicious scripts (XSS), potentially leading to data theft, session hijacking, or defacement of your website. This can compromise user security and damage your application's reputation.