SYM_GEN_0020 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property Value
Language generic
Severity low
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP A07:2017 - Cross-Site Scripting (XSS)
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

Using the 'raw' helper in Rails views outputs HTML without escaping it, which means any user-supplied content will be rendered as-is. If untrusted data reaches this point, it can lead to security issues.

Impact

An attacker could inject malicious scripts into your web pages, potentially stealing user data, hijacking sessions, or defacing the site. This exposes your application and its users to cross-site scripting (XSS) attacks.