SYM_GO_0022 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using 'template.JS()' with formatted or concatenated strings can embed unescaped user-controlled data directly into JavaScript code. This makes it easy for attackers to inject malicious scripts if any part of the data comes from untrusted sources.
Impact
If exploited, attackers could execute arbitrary JavaScript in users' browsers (Cross-Site Scripting), leading to data theft, account compromise, or manipulation of application behavior. This can damage user trust and expose sensitive information.