SYM_GO_0020 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
User input from URL query parameters is being directly included in HTTP responses using printf-style formatting without sanitization. This allows attackers to inject malicious scripts into web pages, leading to cross-site scripting (XSS) vulnerabilities.
Impact
If exploited, attackers can execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, impersonating users, defacing the site, or launching further attacks. This compromises user data and trust, and may expose the organization to regulatory and reputational risks.