SYM_GEN_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using unescaped variables with '&attributes' in Pug templates can let untrusted data be injected directly into HTML attributes. This opens the door for attackers to insert malicious scripts if external data is passed here.
Impact
If exploited, an attacker could execute JavaScript in users’ browsers (XSS), potentially stealing session cookies, impersonating users, or defacing the site. This can lead to data breaches, loss of user trust, and compliance issues for your application.