SYM_RB_0050 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input is being passed directly into the body or URL of Rails' link_to helper without proper escaping or validation. This can allow attackers to inject malicious content or scripts into generated links.
Impact
If exploited, an attacker could perform Cross-Site Scripting (XSS) by injecting JavaScript or other harmful code, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of users. It undermines application trust and can result in data breaches or compromise of user accounts.