SYM_GEN_0019 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using unquoted template variables as HTML attribute values can allow user input to break out of the attribute and inject malicious JavaScript. Always wrap template expressions in quotes to prevent this type of injection.
Impact
If exploited, attackers could execute arbitrary JavaScript in users' browsers (XSS), potentially stealing session cookies, impersonating users, or modifying site content. This can lead to data breaches, account compromise, and damage to user trust.