Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User-controlled data is being directly inserted into the href attribute of an anchor tag. This allows attackers to inject malicious links, such as those starting with ‘javascript:’, leading to possible cross-site scripting (XSS) attacks.
Impact#
If exploited, an attacker could execute arbitrary JavaScript in the user’s browser, potentially stealing session cookies, compromising user accounts, or defacing the site. This can result in loss of user trust and potential legal or compliance issues for the organization.