SYM_JSTS_0172 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property Value
Language javascript
Severity low
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP A07:2017 - Cross-Site Scripting (XSS)
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

Using $sce.trustAsJs with unsanitized user input in AngularJS allows potentially unsafe code to be executed. This bypasses Angular's default protections, making the application vulnerable to malicious JavaScript injection.

Impact

If exploited, attackers could inject and execute arbitrary JavaScript in the user's browser, leading to data theft, session hijacking, or complete compromise of user accounts. This can result in severe security breaches and loss of user trust.