SYM_PY_0186 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property Value
Language python
Severity low
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP A07:2017 - Cross-Site Scripting (XSS)
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

Disabling autoescape in Django template contexts allows untrusted user input to be rendered as raw HTML. This bypasses Django's built-in protections and can introduce cross-site scripting (XSS) vulnerabilities.

Impact

If exploited, attackers could inject malicious scripts into your web pages, leading to data theft, account compromise, or unauthorized actions on behalf of users. This compromises user trust and may expose sensitive information or systems.