SYM_JSTS_0163 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property Value
Language javascript
Severity low
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP A07:2017 - Cross-Site Scripting (XSS)
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

Using $sce.trustAsUrl with data from user input can allow attackers to inject malicious URLs into your application. If this input is not properly sanitized, it can lead to security risks such as cross-site scripting (XSS).

Impact

If exploited, an attacker could inject harmful URLs or scripts, potentially leading to theft of user data, session hijacking, or redirection to malicious websites. This compromises user trust and can expose sensitive information or damage your application's reputation.