SYM_GEN_0061 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The Visualforce Page is configured with an API version below 55, which does not enforce the required Content Security Policy (CSP) headers. Without these headers, the page is more vulnerable to cross-site scripting (XSS) attacks.
Impact
Attackers could inject malicious scripts into the page, potentially stealing user data, hijacking sessions, or performing unauthorized actions on behalf of users. This can lead to data breaches, account compromise, and loss of user trust in the application.