SYM_PY_0191 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property Value
Language python
Severity low
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP A07:2017 - Cross-Site Scripting (XSS)
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

Autoescaping is globally turned off in your Django templates, which means user input is not automatically escaped when rendered on web pages. This makes it easy for attackers to inject malicious scripts into your site.

Impact

If exploited, an attacker could execute cross-site scripting (XSS) attacks, allowing them to steal user data, hijack sessions, or deface pages. This can compromise user security and trust, potentially leading to data breaches or regulatory violations.