Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The Visualforce Page is configured with an API version below 55, which does not enforce the required Content Security Policy (CSP) headers. Without these headers, the page is more vulnerable to cross-site scripting (XSS) attacks.
Impact#
Attackers could inject malicious scripts into the page, potentially stealing user data, hijacking sessions, or performing unauthorized actions on behalf of users. This can lead to data breaches, account compromise, and loss of user trust in the application.