SYM_RB_0020 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Disabling HTML entity escaping in JSON responses allows untrusted user input to be included in JSON output without proper sanitization. This means special HTML characters aren't encoded, making it easier for attackers to inject malicious scripts.
Impact
If exploited, attackers could perform cross-site scripting (XSS) by injecting scripts into JSON responses, which can lead to session hijacking, data theft, or manipulation of the application's content for users viewing the affected pages.