SYM_JSTS_0168 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property Value
Language javascript
Severity low
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP A07:2017 - Cross-Site Scripting (XSS)
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

Using $sce.trustAsCss with values that include user input can allow attackers to inject malicious CSS. This can lead to security risks if input is not properly sanitized before being trusted.

Impact

If exploited, an attacker could inject harmful CSS into your application, potentially manipulating the appearance of your site, stealing sensitive user data, or launching phishing attacks. This compromises user trust and can lead to further security breaches.