SYM_JAVA_0019 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input is being sent directly in an Ok() HTTP response as HTML, without proper escaping or sanitization. This bypasses the view/template system and can allow attackers to inject malicious scripts into the page.
Impact
If exploited, an attacker could perform cross-site scripting (XSS), enabling them to steal user data, hijack sessions, or deface the site. This can lead to compromised user accounts, data breaches, and damage to your application's reputation.