SYM_GEN_0062 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Visualforce pages are missing the 'cspHeader' attribute set to true, which means they do not enforce modern browser security controls against malicious scripts. This makes the page more vulnerable to cross-site scripting (XSS) attacks.
Impact
If exploited, attackers could inject and execute unauthorized JavaScript in users’ browsers, potentially leading to data theft, session hijacking, or unauthorized actions in the Salesforce environment. This can compromise user accounts, sensitive business data, and overall application security.