SYM_GEN_0065 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Dynamically inserting template variables into the 'src' attribute of a script tag can allow attackers to inject malicious scripts, even if the variable is HTML-escaped. Using user-controlled or untrusted data for script URLs makes the page vulnerable to cross-site scripting (XSS) attacks.
Impact
If exploited, an attacker could load and execute arbitrary JavaScript in your users' browsers, leading to data theft, session hijacking, or full compromise of user accounts. This can damage user trust, expose sensitive information, and potentially allow further attacks against your application or its users.