SYM_GEN_0067 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using a template variable directly in an anchor tag's href attribute allows user input to define the link destination. If not properly validated or encoded, attackers can inject malicious URLs, such as those starting with 'javascript:', leading to XSS vulnerabilities.
Impact
An attacker could craft input that causes users to execute arbitrary JavaScript when clicking a link, potentially stealing session cookies, hijacking accounts, or performing actions on behalf of the user. This compromises user data and trust, and can lead to further exploitation of your application.