SYM_PY_0202 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
User input from the request is being included directly in the HttpResponseBadRequest response without sanitization or escaping. This allows attackers to inject malicious scripts into error messages shown in the browser.
Impact
If exploited, attackers could execute JavaScript in users' browsers (XSS), potentially stealing cookies or sensitive data, hijacking sessions, or performing actions on behalf of users. This can compromise user accounts and damage the application's reputation.