SYM_GEN_0031 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using unsanitized template variables directly in the 'href' attribute of anchor tags can let attackers inject malicious links, such as those starting with 'javascript:'. This exposes your application to cross-site scripting (XSS) attacks.
Impact
If exploited, an attacker could execute arbitrary JavaScript in the user's browser, potentially stealing session cookies, user data, or performing actions on behalf of the user. This can lead to account compromise, data leaks, or unauthorized actions within your application.