Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User input from URL query parameters is being directly included in HTTP responses using printf-style formatting without sanitization. This allows attackers to inject malicious scripts into web pages, leading to cross-site scripting (XSS) vulnerabilities.
Impact#
If exploited, attackers can execute arbitrary JavaScript in users’ browsers, potentially stealing session cookies, impersonating users, defacing the site, or launching further attacks. This compromises user data and trust, and may expose the organization to regulatory and reputational risks.