Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property	Value
Language	java
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from the HttpServletRequest is being written directly to the HTTP response without proper encoding. This allows attackers to inject malicious scripts into web pages, leading to cross-site scripting (XSS) vulnerabilities.

Impact

If exploited, an attacker could execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, defacing the site, or performing actions on behalf of users. This can compromise user data, damage trust, and expose the organization to compliance risks.