SYM_JSTS_0171 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Assigning user input directly to the $translateProvider.translations method in AngularJS can allow untrusted data to be injected into translation strings. This opens the door for malicious code to be rendered in the application's UI.
Impact
If exploited, an attacker could execute arbitrary JavaScript in users' browsers (Cross-Site Scripting), potentially stealing user data, hijacking sessions, or defacing the application. This compromises both user security and the application's trustworthiness.