Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code includes URL parameters directly in Visualforce pages or scripts without escaping, allowing untrusted input to be rendered as part of the page. This exposes the application to Cross-Site Scripting (XSS) attacks because malicious users can inject harmful scripts through manipulated URLs.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers, leading to data theft, session hijacking, or unauthorized actions performed on behalf of users. This compromises user accounts, undermines trust, and may result in regulatory or reputational damage to the organization.